[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: specification language?

>Whooo - I can see that what I wrote could be confusing - I'd better
>clarify fast!
>When I say, flatten hierachies, I'm referring to the data types used to
>build the certificate, and *NOT* any ceritificate chaining. For example,
>X.500 DNs are of the form
>name ::= sequence of rdn
>rdn  ::= set of ava
>ava  ::= sequence { attr string, value string}
>which LDAP flattens to
>name ::= string -- where the raw X500 name is converted to ascii using
>                -- a few simple rules (see RFC1485)


I think you're right that a modified [enhanced] subset of X.509 could work.
However, unaugmented X.509 is  flawed, IMHO, even if the DN were cleaned
up to be a sensible text string rather than some X.500 carry-over.

In particular, as I argue in my cert.html, X.509 suffers from the Vogon HQ
problem -- that its meaning is not specified in the certificate itself.

It also suffers from trying to tie a name to a key rather than a permission
[or meaning] to a key.  The latter requires no names at all.

Specifically, one special case of a key-centered certificate is the one
whose meaning is, for example:

"This certificate assigns all permissions carried by the CyberCash employee
Carl Ellison to the Subject key."  That is a traditional X.509 meaning --
but it's a subset of key-centered certification.  That cert has to be
signed by a CyberCash key authorized to give out such permission

Another kind of key-centered cert might carry the meaning "I answer to the
name Carl Ellison" and be signed by my key -- ie., be self-signed.  These
two have very different meanings -- a difference X.509 is not capable of

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |