[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certs // RW vs CS



-----BEGIN PGP SIGNED MESSAGE-----

Ron,

        your distinctions are worth noting, but I believe you missed a
couple of possibilities which to me are central to this issue.

At 22:20 2/29/96, Ron Rivest wrote:

>There seem to be two fundamental kinds of certificates:
>
>        (I) Those that assert a relationship between a RW principal
>            and a PK.  (Typically the only relationship of interest
>            is "ownership", which can be more clearly stated as
>            "This PK speaks for a (particular) RW principal".)  Since RW
>            principals don't have unique ID's, such certificate may give
>            numerous attributes of the RW principal (name, email address,
>            phone number, age, sex, place of employment, etc.) yet be
>            potentially ambiguous.  DN's are an attempt to give each
>            RW principal a unique ID. Type I certificates have been
>            called "identity-based".  They assert a linkage between a PK and
>            a RW principal.

There is another way to bind a PK to a RW principal: the implicit binding
described as "whichever RW principal is able to invoke the private key of
PK".  With that binding -- (a) you don't know much yet; and (b) the
linkage is precisely as unique and as strong in the security sense
as the allocation of private keys -- something our subsequent use of PKs
counts on.  The association between this RW principal and things like
common names can occur in other certificates -- while the binding between
PK and RW principal, this way, doesn't need a certificate at all.

If attributes or permissions are then bound to a PK, to be invoked in
cyberspace, those attributes or permissions are implicitly being bound
to the RW principal identified by that PK.

>        (II) Statements that are "internal" to cyberspace, and only
>             talk about PK's, without reference to the RW.  Such
>             statements generally grant (or revoke) authorization in various

>             ways.  (A typical case is that one key may grant another the
>             authority to make certain kinds of statements, as if the
>             statements had been made by the first key.)
>
>Note that:
>
>(1) that it is not necessary that every PK have a corresponding type I
>    certificate; some public keys may not have RW owners.
>
>(2) Permissions are typically granted to PK's, not to RW principals.

and (3) not every RW owner of a PK will have a type I certificate [and,
in fact, it's possible to form a complete certification structure linking
RW owners to PKs without any type I certificates, I claim (recklessly :-)].

>
>An example:
>
>I might have a public key K1 that I use to make statements as a
>security officer of corporation X.  There might be a type I
>certificate that describes me and links me to K1.

Alternatively, there might be K1 and no type I certificate.  Rather, I
happen to own K1 [ie., I'm the only one with access to its private key].
The title "security officer" could then be bound to K1, using a type II
certificate -- and it would apply to me because I'm the only person
able to invoke that key.

>Similarly there
>might be a public key KX that is the public key for corporation X, and
>a similar type I certificate linking X to KX.

This is a clear use for a type I certificate.  In this case, the concept
of corporation X exists in an outside person's mind apart from KX and the
person wants to transfer his knowledge about X over to KX.  That's the only
use of a type I certificate, IMHO -- transfer of attributes from the
socially defined world into the world of keys.  In your terminology, this
is a transfer from RW into CS.  However, I, for one, live in a RW which *is*
CS -- not entirely, but more and more.  I suspect it is prejudicial to
use the term "real" to refer to a physical world with person-to-person
contact in the flesh rather than the world where contacts between people
are by transfer of bits.  As the latter takes over from the former,
the term RW becomes synonymous with CS and you need a new term for the
old fashioned world of physical presence.  [cf., Asimov's "Naked Sun",
where there is a major differentiation between "seeing" and "viewing".]

If the outside person had instead encountered corporation X
only through a digital presence in the form of messages signed by KX, then
KX becomes the primary means of identifying the corporation -- not some
billboard [Citgo in Kenmore Sq.?] -- and in this case, there's no need
for a type I cert even for a corporation.

>The fact that I am the
>security officer of X is modelled by a type II certificate by KX that
>asserts that K1 can make certain kinds of statements with the same
>authority that KX would have to make those statements.

Yes -- type II because KX, which owns all permissions for corporation X
carves off a piece and delegates it to K1.  This could be the only such
carving which occurs.  That is, we tend to think of this delegation happening
by paper memo in an office environment, between people.  There might be
a staff meeting in which the new security officer is presented to the
other employees.  With that idea in mind, we think of the CS key signing
as mirroring something which happens "in the real world".  However, there
might be no "real world" event.  The delegation might occur only through the
type II cert, in a future company.  The rest of the employees might never
meet the security officer in the flesh, because he telecommutes from Lunar
base.

>Such a statement
>might be of the form, "KY is the PK of (i.e. speaks for) an employee of
>corporation X."

The point I'm trying to make [and I hope I'm not beating it to death]
is that "KY speaks for Y" may be an anachronism.  It assumes that
the behavior of a flesh-and-blood human in the "real world" is the
source of privileges.  With some people now acting only through bits, it may
be
that the only actions Y can perform are through KY -- and, in that case,
it makes sense to allocate privileges to KY and let Y acquire them implicitly
by being the only person knowing the private key of KY.

Except that the phrase is insulting to humans, you might rewrite your
sentence as "KY is an employee of corporation KX"  [where "KY" means both
the PK and the person who knows its private key].  If you do this, then
there is no type I certificate involved.

>Another type of statement
>by KX might be of the form, "KY is authorized to make statements of the
>form, `KY, speaking for KX, says `I order $___ (<$500) worth of ___.' ' "
>This is a type II certificate.  A supplier receiving an order by KY can
>check this type II certificate, and then respond to the order depending
>on local policy as to whether KX's orders are to be honored.  (Such policy
>may depend on a RW principal determining whether X's orders are to be
>honored, and determining what public keys are to be believed in determining
>the linkage from X to KX via type I certificates.)

This is only if that RW shipping clerk considers X to be more fundamental
than KX.  If KX is more fundamental than X, there is no type I certificate
involved.

Far fetched?  Money talks.  I could open a digital bank account, yielding
electronic checks.  My bank account number and my name could each be equal to
my signature public key.  While those checks gather a history of being
cashed promptly, I can acquire the reputation of being a trusted key to sell
to.  In this case, KX is far more important than X, which is just an
arbitrary text string, as far as the shipping clerk is concerned.  He
doesn't see the brick buildings, parking lots and people of X.  He sees
money from KX.  If my checks are anonymous, he doesn't even learn X -- just
KX.

>
>In my thinking, I find it these distinctions helpful...
>
>Is this the right conceptual framework for certificates?

I think it's a good framework -- except that it relies far too
heavily on type I certificates.  Once you allow the implicit [and much
stronger] binding between RW people and PKs of the form "whoever is able
to invoke the associated private key", many of the identity certificates
of earlier discussions become type II or just go away -- or become
self-signed [e.g., "I receive e-mail at cme@acm.org" is self-signed, if
the word "I" is defined as "the person who can invoke the PGP private
key with fingerprint 61E2DE7FCB9D7984E9C8048BA63221A2".  So is the
statement "I answer to the name Carl Ellison" a self-signed cert.]

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMTbSu1QXJENzYr45AQGN+AQAiCK0flUvVfF4Z+H77DzS6O20tevYSpsM
MDdgHWsq8irs2eTkpC0BT1IAxhapbgYwTq0NBxnN5wX0il9ON3D1Z7ouxhTlDUvy
5q760V6r/XBZDBHdSFZTdJqdWY6YswFuK5izSCPvE5R3FIDXOh+jtg8wJJDgt0Ng
FqgwKjc4UXM=
=Nwtw
-----END PGP SIGNATURE-----

+--------------------------------------------------------------------------+
|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |
+--------------------------------------------------------------------------+