[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I&A Forum complex authorizations
At 1:01 PM 7/19/96 -0400, Carl Ellison wrote:
>At 08:59 AM 7/19/96 -0400, David P. Kemp wrote:
>>The problem with SPKI free-form Auths is that access-granting
>>code is non-trivial if it has to deal with ensuring that things
>>like "employee of Chrysler", "Chrysler employee", "OU=Chrysler",
>>"Chryslr employee" (typo), and "OU=C" (use of ticker symbol
>>as organization name) are all treated as identical for
>>access-granting purposes. You still need an attribute registry
>>if you want to have a canonical form against which to check
>>Auth entries typed by human operators.
>
>The registry doesn't have to be global...can be but doesn't have to be. A
>given writer of access policy will state what has to be present and it's up
>to the certificate holder to acquire those <auth>s in the desired format.
>If we ever find people asking for the same thing (semantically) in different
>formats, we can call for a central discussion list and registry of suggested
>formats (perhaps in an RFC).
I may be being stupid again, but: It seems to me that the only entity that
needs to understand the <auth> is the entity holding the secret key which
signed the cert. If it didn't understand the <auth>, why did is sign it?
-------------------------------------------------------------------------
Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting
(408)356-8506 | regarded as a never-ending | 16345 Englewood Ave.
frantz@netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA