[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AUTH statements for common Internet cases
>Re: comments on client auth
At 10:14 AM 6/20/96 -0400, Carl Ellison wrote:
[speaking of how to format AUTH records in an SPKI certificate, giving
access permission as well as permission to delegate that access permission]
>I would like it if each of you would take a crack at generating a list of
>authority lines for things like machine access or whatever else is important
>to you. We also need to be able to specify if the authority holder has the
>authority also to delegate it -- and if so, how far (maybe a permitted hop
>count?).
>
>If this were files, we could imitate UNIX (rwx) permissions and give each
>one an optional hop count besides with the rule that any delegation has to
>use a strictly lesser hop count. Let's expand that set to (rwad) (read,
>write, add, delete):
>
>>E.g.: for file system access
>
>FS: (R4W1A2D1) /home/user/cme/spki/
------------------------
Clearly, instead of a pathname this needs to be a URL -- e.g.,
FS: (R*) http://www.clark.net/pub/cme/html/cert.html
(meaning read-only and permission to delegate indefinitely -- so that this
person could generate a cert with (R*) or (R8) or any other number)
FS: (R12A) ftp://ftp.clark.net/pub/cme/
(meaning permission to read and delegate 12 hops deep (effectively infinite,
but I needed an example); permission to write but not to delegate that
permission;
The permission here is for a directory only.)
FS: (R3A) ftp://ftp.clark.net/pub/cme/ [...]
(meaning permission at that directory and all files and directories under it
as well as permission to generate certs for others with (R2), (R1) or (R)
permission)
-------
The examples above assume a file system which grants access based on
certificates. I know of none, today.
Today we have UNIX, for example, with its own access granting based on user
name. So, we'd need auth lines like:
FTP: 1,ftp.clark.net,cme
(meaning permission to enter ftp.clark.net as user cme, with permission to
delegate but not to delegate delegation)
TELNET: 0,cybercash.com,cme
(meaning permission to telnet into cybercash.com as user cme, with no
permission to delegate)
---------------
- Carl
+--------------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+--------------------------------------------------------------------------+