[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RE: spec for wire format of SPKI cert

To: spki@c2.net, PALAMBER@us.oracle.com
Subject: Re: RE: spec for wire format of SPKI cert
From: "Brian M. Thomas" <bt0008@entropy.sbc.com>
Date: Wed, 28 Aug 1996 15:50:57 -0500 (CDT)
Sender: owner-spki@c2.net

> >In other words, the limits on 
> >delegation in a cert are of the form "please don't delegate  
> >or we will punish you" rather than "you can't delegate  
> >because the mathematics and 
> >logic of the system prevent you from doing so". 
>  
> This seems wrong  ... First, delegation should be explicit.  The ability to 
> delegate a privilege should be available only when explicitly granted. 
>  
> Second, the logic of a system evaluating a set of authorization statements can 
> enforce the restrictions on delegation. 
>  
> Paul 

I was waiting for some time to think about this one, but I think I agree
with Paul.  If I issue a privilege and say it can be delegated only once,
and someone presents me a chain starting with my MAY-DELEGATE:1 cert, the
next one had better say MAY-DELEGATE:0, or I won't accept it.

Perhaps you're thinking differently, Bill...?

brian

Brian Thomas - Distributed Systems Architect  bt0008@entropy.sbc.com
Southwestern Bell                             bthomas@primary.net
One Bell Center,  Room 23Q1                   Tel: 314 235 3141
St. Louis, MO 63101                           Fax: 314 331 2755

Prev by Date: Re: Thoughts on the draft
Next by Date: Re: Thoughts on the draft
Prev by thread: Re: RE: spec for wire format of SPKI cert
Next by thread: RE: spec for wire format of SPKI cert -Reply
Index(es):
- Main
- Thread