[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: spec for wire format of SPKI cert

To: frantz@netcom.com (Bill Frantz)
Subject: RE: spec for wire format of SPKI cert
From: Carl Ellison <cme@cybercash.com>
Date: Tue, 03 Sep 1996 14:10:32 -0400
Cc: Peter Williams <peter@verisign.com>, "PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com>, "'spki@c2.org'" <spki@c2.org>
Sender: owner-spki@c2.net

Wonderful summary, Bill.  Let me add:

At 03:56 PM 8/28/96 -0700, Bill Frantz wrote:
>It is as if Unix programs could no
>longer pass file handles to the programs they fork.  In a pure capability
>system (where capabilities are the only way of expressing authority), not
>being able to pass capabilities prevents any use of authority and therefore
>such a system is unworkable.
>
>In SPKI, we allow capability passing by use of certificates with the
>MAY-DELEGATE attribute.  This method provides a simple, auditable way to
>delegate authority.

For the forked process example, you might consider not just MAY-DELEGATE but
DELEGATE-ALL, for the parent to give the child every access the parent has.
You might want to restrict the child (e.g., with LOGIN forking a user
process) but you might have forked just for parallel processing.

 - Carl

+------------------------------------------------------------------+
|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
+------------------------------------------------------------------+

Prev by Date: Re: Thoughts on the draft
Next by Date: Re: Thoughts on the draft
Prev by thread: RE: spec for wire format of SPKI cert
Next by thread: Re: spec for wire format of SPKI cert
Index(es):
- Main
- Thread