[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Other ideas for certificates -Reply

To: perry@piermont.com
Subject: Re: Other ideas for certificates -Reply
From: TCARTER@novell.com (Tammy Carter)
Date: Mon, 04 Mar 1996 10:28:33 -0700
Cc: spki@c2.org
Sender: owner-spki@c2.org

Hummm....  I understand your reasoning, but I can also see an alternative implementation (which is
the one that I was thinking of, I suppose).  The "privilege certificate" would be given by the parent
to the child and it would be up to the software to decide if the certificate was valid.  I suppose it
would be a kind of proxy authorization.  

I suppose a more convincing example may be a driver's license suspension due to a DUI ticket.  It
would seem expensive to have the license revoked and then reissued.  And, in this case, there is
no third party to register the suspension with.  Or, am I mistaken?  Is there another alternative?

Tammy Carter

>>> Perry E. Metzger <perry@piermont.com> 03/01/96 02:19pm >>>

Tammy Carter writes:
> 1.  Motivation for Suspension of Certificates Yes, I know that
> suspension is not something that is condoned, but the following
> scenario seems to beg for the capability....

The scenario you give seems to be flawed; I'll state why

> My child has a permission certificate from me allowing her to spend
> up to $100 on my credit card

Now, the problem here is that I'm not convinced that such a signed document would be
necessary. Since this has to be enforced by the bank issuing the credit line (I'm not sure "credit
card" makes sense any more :-), I'd say that the right thing to do is to give instructions to the bank,
not to have a certificate that a merchant would look at. The merchant could, after all, not do the
right thing, and in any case the bank has to tell the merchant if a transaction is authorized based
on running totals -- online clearing is essential. I thus am not sure such a certificate would ever
exist.

Ultimately, one must always ask "who is being asked to believe a signature on this document"?

In the case of commercial paper (checks and the like) or drafts against credit cards, the answer is
always "the bank", in which case if the bank has the public key on file it is not clear that it needs a
certificate authority at all. (It might be argued that a merchant wants to know that you aren't ripping
them off, but the only real way to know that is to find out if the transaction clears, since merely
knowing you possess an account never says anything about whether you have a single penny in
it.)

Perry

Prev by Date: Re: Apology and requirements
Next by Date: bootstrap of key-centric binding of person to key
Prev by thread: RE: ansi/ccitt doc availability
Next by thread: bootstrap of key-centric binding of person to key
Index(es):
- Main
- Thread