[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: make things as simple as possible

At 21:15 3/20/96, Greg Rose wrote:
>I've been fairly quiet on this list due to
>workload, but I've been trying to follow
>everything. I think I've spotted a simplifying
>assumption that might be useful in our discussion.
>This was inspired by Matt, Joan and Jack's
>"Decentralised Trust Management", but don't blame
>them for my rantings.

[proposal for having each element of a cert be represented by a fixed
length hash -- so that the cert is just a signed array of fixed length


There's a certain elegance to this proposal that I really like -- but I
have doubts.  This might complicate the application code [e.g., the code
looking for permission to do FTP to a given machine] -- or it might
simplify that.

Let's say the Meaning of a particular cert is to allow FTP into cybercash.com.
I imagine the application designer [the one modifying the FTP server or the
firewall to allow such access] defining a Meaning field he will recognize:


Meaning: Allow FTP access into the machine cybercash.com


Meaning: FTP-access, cybercash.com


FTP-access: cybercash.com

In any of these three cases, that application could build the acceptable
string and hash it -- and from then on, just look for that hash in the
certificate body.  That might speed up checking quite a bit.

However, if the application has to go fetch the meaning from someplace and
then compute the hash of it to add it to a hash table and then compare
hashes and then parse the fetched statement, prior to giving access
permission, it's a loser IMHO.

I wonder about other real applications of certificates.  Ideas?

One of the problems I see is that the tag of the field is lost until you do
the hash lookup, in Greg's proposal, so the app code interpreting the cert
is probably complicated in any case.  You might find people requesting that
certain tags always be at certain locations in the array..... Hmmmm....

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |