[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I&A Forum complex authorizations

At  1:01 PM 7/19/96 -0400, Carl Ellison wrote:
>At 08:59 AM 7/19/96 -0400, David P. Kemp wrote:
>>The problem with SPKI free-form Auths is that access-granting
>>code is non-trivial if it has to deal with ensuring that things
>>like "employee of Chrysler", "Chrysler employee", "OU=Chrysler",
>>"Chryslr employee" (typo), and "OU=C" (use of ticker symbol
>>as organization name) are all treated as identical for
>>access-granting purposes.  You still need an attribute registry
>>if you want to have a canonical form against which to check
>>Auth entries typed by human operators.
>The registry doesn't have to be global...can be but doesn't have to be.  A
>given writer of access policy will state what has to be present and it's up
>to the certificate holder to acquire those <auth>s in the desired format.
>If we ever find people asking for the same thing (semantically) in different
>formats, we can call for a central discussion list and registry of suggested
>formats (perhaps in an RFC).

I may be being stupid again, but:  It seems to me that the only entity that
needs to understand the <auth> is the entity holding the secret key which
signed the cert.  If it didn't understand the <auth>, why did is sign it?

Bill Frantz       | The Internet may fairly be | Periwinkle -- Consulting
(408)356-8506     | regarded as a never-ending | 16345 Englewood Ave.
frantz@netcom.com | worldwide conversation.    | Los Gatos, CA 95032, USA