[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: delegation conflict, background
At 11:25 PM 7/1/96 -0700, Bill Frantz wrote:
[making the case for indefinite delegation]
>What Alice may have wanted was, "You can delegate this certificate to any
>machine on the corporate campus." But we have not given her the ability to
>say that.
The only means we have for specifying non-chain certification requires BFL's
PolicyMaker or the PROLOG subset Brian inspired me to write up (once I get
to it). Either of those would allow Alice to constrain a delegation, but
she'd have to write a program for it.
[What you're asking for is non-chain because the mini-super in your example
needs a cert from me delegating permission to get to a file plus a cert from
the sysadmins testifying to its being on campus. The policy statement which
checks both will not be a chain link.]
- Carl
+--------------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+--------------------------------------------------------------------------+