[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: delegation conflict, background



At 11:25 PM 7/1/96 -0700, Bill Frantz wrote:
[making the case for indefinite delegation]

>What Alice may have wanted was, "You can delegate this certificate to any
>machine on the corporate campus."  But we have not given her the ability to
>say that.

The only means we have for specifying non-chain certification requires BFL's
PolicyMaker or the PROLOG subset Brian inspired me to write up (once I get
to it).  Either of those would allow Alice to constrain a delegation, but
she'd have to write a program for it.

[What you're asking for is non-chain because the mini-super in your example
needs a cert from me delegating permission to get to a file plus a cert from
the sysadmins testifying to its being on campus.  The policy statement which
checks both will not be a chain link.]

 - Carl

+--------------------------------------------------------------------------+
|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                              http://www.cybercash.com/    |
|207 Grindall Street           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103       T:(410) 727-4288     F:(410)727-4293        |
+--------------------------------------------------------------------------+