[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft of SPKI certificate internet-draft

There were a couple of items in my detailed comments on the draft that Carl
thought needed further discussion.  Assuming Carl's permission, I am
posting them here.  -  Bill Frantz

At 03:05 PM 7/10/96 -0700, Bill Frantz wrote:
>We seem to have a number of cert types, e.g. CRCert and Deleg cert.  These
>seem to me to be really uses of the standard format.  We probably need a
>place where all of these are specifically described.  Perhaps chapter 8,
>examples is the right place.

If that idea gets presented in the draft, I want to find a way to cancel it.
How about you give this comment on the whole list and we can discuss it
there? (at least get the discussion archived).  AFAIAC, there is only one
certificate type.  CRCert is a process, not a certificate.  DELEG is an
attribute of every cert.

>5.4, p33: We probably don't need to mention the issue, but performing
>access control via file names gets all tripped up when you allow aliases in
>the directory structure.  One of the SurfWatch/NetNanny etc. programs will
>lock out certain URLs, but not aliases for the same page.

This is an interesting case.   Some people really do want islands of access
within a sea of non-access.  For example, for ITAR-safe FTP sites, we at TIS
would have a link to a fixed directory name -- and keep changing the name of
the link.  The fixed directory name had very strong access control while the
link name had extremely weak access control.

Bill Frantz       | The Internet may fairly be | Periwinkle -- Consulting
(408)356-8506     | regarded as a never-ending | 16345 Englewood Ave.
frantz@netcom.com | worldwide conversation.    | Los Gatos, CA 95032, USA