[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: specification language?

To: spki@c2.org
Subject: Re: specification language?
From: cme@cybercash.com (Carl Ellison)
Date: Thu, 14 Mar 1996 09:41:37 -0500
Sender: owner-spki@c2.org


>Whooo - I can see that what I wrote could be confusing - I'd better
>clarify fast!
>
>When I say, flatten hierachies, I'm referring to the data types used to
>build the certificate, and *NOT* any ceritificate chaining. For example,
>X.500 DNs are of the form
>
>name ::= sequence of rdn
>rdn  ::= set of ava
>ava  ::= sequence { attr string, value string}
>
>which LDAP flattens to
>
>name ::= string -- where the raw X500 name is converted to ascii using
>                -- a few simple rules (see RFC1485)

Simon,

I think you're right that a modified [enhanced] subset of X.509 could work.
However, unaugmented X.509 is  flawed, IMHO, even if the DN were cleaned
up to be a sensible text string rather than some X.500 carry-over.

In particular, as I argue in my cert.html, X.509 suffers from the Vogon HQ
problem -- that its meaning is not specified in the certificate itself.

It also suffers from trying to tie a name to a key rather than a permission
[or meaning] to a key.  The latter requires no names at all.

Specifically, one special case of a key-centered certificate is the one
whose meaning is, for example:

"This certificate assigns all permissions carried by the CyberCash employee
Carl Ellison to the Subject key."  That is a traditional X.509 meaning --
but it's a subset of key-centered certification.  That cert has to be
signed by a CyberCash key authorized to give out such permission
assignments.

Another kind of key-centered cert might carry the meaning "I answer to the
name Carl Ellison" and be signed by my key -- ie., be self-signed.  These
two have very different meanings -- a difference X.509 is not capable of
expressing.

 - Carl

+--------------------------------------------------------------------------+
|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |
+--------------------------------------------------------------------------+

Prev by Date: Re: Man in the middle attacks
Next by Date: Re: Man in the middle attacks
Prev by thread: Re: specification language?
Next by thread: Re: specification language?
Index(es):
- Main
- Thread