[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(attribute,key) bindings

In my previous message, I suggested that the X.509 folks have gone to
(attribute,key) certificates in addition to the (name,key) certificates,
since (name,key) means nothing in cyberspace.

This is effectively true but not quite.

The X.509 gang in fact suggests (attribute,name) certificates -- thus
creating an artificial demand for (name,key) certificates.

You can think of the (attribute,key) certificates I've been advocating as
the reduction of (attribute,name)(name,key) to what I care about as a
programmer, omitting the thing I don't care about [the name].  {There are
other reasons to omit the name but that's a topic for a different message.}

Attribute in this case ["meaning" in previous messages] is something like
"permission to get FTP access to cybercash.com" or "permission to spend up
to $5000 per check from checking account xxx-xxxxx-xx" or whatever....

It should also be noted that formally, one needs to use
(attribute,key)(key), where the second cert, (key), is self-signed and can
be revoked in case the key is compromised.  Similarly, the X.509 crowd
should use:

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |