[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thoughts on the draft

At 11:06 AM 9/3/96 EDT, Angelos D. Keromytis wrote:
>>INCLUDE <hash alg>,<hash of body>
>>to achieve the same thing.  Am I understanding you correctly?
>That would be equivalent to what i suggested, but i'd feel better if
>you could have the signatures in the certificate, instead of separate
>certificates (come to think of that, one could move from one format to
>the other).

What do you mean by "signatures in the certificate"?  I think I'd like to
hear your definition for certificate and an example of what you mean.  It
sounds like you are using the word certificate to mean "that which gets sent
as a unit from A to B in order to authorize A for some action" -- with the
certificate holding all credentials which are required for that.

>>   AUTH: <auth-tag>,<N>,<parameters>
>>are just as parseable in binary as in ASCII.  Each parameter is a
>>byte-string -- with length followed by that many bytes.
>More straightforward implementation if you just use ASCII as the
>default format, IMO. I won't insist too much on this subject.

There appear to be two camps forming on this topic.  If we support both,
then there would be two forms of certificate which wouldn't interoperate.
The issue is which form is the source byte stream for the certificate's
signature.  If there are native ASCII certs, then the ASCII is the source
(ala SDSI).  If the binary is native, then the binary is the source.

I've met people who want to work in nothing but ASCII.  I've met others who
want to work in nothing but binary.

Opinions on how to proceed?

>>Should I assume that you are an advocate of S-expressions?
>Guilty as charged.
>I feel this approach gives more control to an application developer,
>and it allows for easily modifiable applications when signature
>algorithms/formats change.

If we were to go native ASCII, I find myself leaning in that direction also.
I was talking a couple of weeks ago with Wei Dai (who is doing a SDSI
implementation) and find I really like the S-expressions.  I'd like SDSI to
have the ability to refer to other objects by hash-pointer, but the
generality of S-expressions is nice.  It also opens up the possibility of
including programs (ala PolicyMaker) in a cert body.

 - Carl

|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |