[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: spec for wire format of SPKI cert


to your message point about delegation of authority. Your mail

" To repeat myself: As long as a legitimate user can set up a proxy service
to use a cert you gave him you can not prevent him from effectively
delegating the authority given by that cert.  In other words, the limits on
delegation in a cert are of the form "please don't delegate or we will
punish you" rather than "you can't delegate because the mathematics and
logic of the system prevent you from doing so".

Because of this fact, "don't delegate" should not be depended on where real
security is needed."

At VeriSign service design meetings, we considered the roles involved in punishment
where a cert service may (or may not) deliver rights to delegate authority. We set
up one of our mass-market service to ensure that its the relying party who
can punish both the issuer and the message originator (who may be the same). Its 
not a case of the issuer punishing the service subscribers (except in rather Fascist
certification systems being pushed by big business through some of the US state legislatures), but one of the issuer supproting the relying party with evidence to pursue
the message originator (where the issuer is a third party) in some civil dispute resolution
forum agreed between the disputants (and defaulting to civil law courts if not otherwise

Of course, normal policing by authorised police forces occurs for any and
all criminal acts.

I dont know what "real security" is. What is it?

What is the "real security" that a capability system provides?

Is it sometimes definitive, or always subject to interpretation? At least this perhaps we
could determine.