[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: specification language?
>Whooo - I can see that what I wrote could be confusing - I'd better
>clarify fast!
>
>When I say, flatten hierachies, I'm referring to the data types used to
>build the certificate, and *NOT* any ceritificate chaining. For example,
>X.500 DNs are of the form
>
>name ::= sequence of rdn
>rdn ::= set of ava
>ava ::= sequence { attr string, value string}
>
>which LDAP flattens to
>
>name ::= string -- where the raw X500 name is converted to ascii using
> -- a few simple rules (see RFC1485)
Simon,
I think you're right that a modified [enhanced] subset of X.509 could work.
However, unaugmented X.509 is flawed, IMHO, even if the DN were cleaned
up to be a sensible text string rather than some X.500 carry-over.
In particular, as I argue in my cert.html, X.509 suffers from the Vogon HQ
problem -- that its meaning is not specified in the certificate itself.
It also suffers from trying to tie a name to a key rather than a permission
[or meaning] to a key. The latter requires no names at all.
Specifically, one special case of a key-centered certificate is the one
whose meaning is, for example:
"This certificate assigns all permissions carried by the CyberCash employee
Carl Ellison to the Subject key." That is a traditional X.509 meaning --
but it's a subset of key-centered certification. That cert has to be
signed by a CyberCash key authorized to give out such permission
assignments.
Another kind of key-centered cert might carry the meaning "I answer to the
name Carl Ellison" and be signed by my key -- ie., be self-signed. These
two have very different meanings -- a difference X.509 is not capable of
expressing.
- Carl
+--------------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430 http://www.cybercash.com/ |
|2100 Reston Parkway PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091 Tel: (703) 620-4200 |
+--------------------------------------------------------------------------+