[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Thoughts on the draft
-----BEGIN PGP SIGNED MESSAGE-----
In message <email@example.com>, Carl Ellison writ
>What do you mean by "signatures in the certificate"? I think I'd like to
>hear your definition for certificate and an example of what you mean. It
>sounds like you are using the word certificate to mean "that which gets sent
>as a unit from A to B in order to authorize A for some action" -- with the
>certificate holding all credentials which are required for that.
NAME: Angelos D. Keromytis
ACCOUNT: 23476, 467
ACCOUNT: 1312, 12
SUBJECT: 1, 365fdfe
VALUE: 2, 8712637631786381762716
SUBJECT: 1, 365fdfe
VALUE: 1, 8734682764827696750597805
>There appear to be two camps forming on this topic. If we support both,
>then there would be two forms of certificate which wouldn't interoperate.
>The issue is which form is the source byte stream for the certificate's
>signature. If there are native ASCII certs, then the ASCII is the source
>(ala SDSI). If the binary is native, then the binary is the source.
>I've met people who want to work in nothing but ASCII. I've met others who
>want to work in nothing but binary.
>Opinions on how to proceed?
Of course, we could mandate creating signatures on both forms of the
certificate, in which case one doesn't need to do any translating at
all. But i'd rather go for some other solution (either binary or ASCII
is the "default").
>If we were to go native ASCII, I find myself leaning in that direction also.
>I was talking a couple of weeks ago with Wei Dai (who is doing a SDSI
>implementation) and find I really like the S-expressions. I'd like SDSI to
>have the ability to refer to other objects by hash-pointer, but the
>generality of S-expressions is nice. It also opens up the possibility of
>including programs (ala PolicyMaker) in a cert body.
I'm not overly enthusiastic about programs in a cert body. I don't see
them as generally useful, since the application that issues the
certificates has no need to send out the program that would do the
verification, and any other application that needs to check
credentials would not trust an embedded program.
-----BEGIN PGP SIGNATURE-----
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
-----END PGP SIGNATURE-----