[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cme@cybercash.com: Quick Survey: name certificate syntax]
------- Start of forwarded message -------
Another option would be to leave the basic format the same, but to have
a "cert-type" field with a value of "def" or "auth", where "def" is for
a name-cert, and "auth" is for an authorization. The requirements would
then be that a def could not have a tag field (it is implicitly (tag (*))),
and could not have a delegate field (it implicitly allows delegation),
whereas an auth must have a key (with no names) as an issuer, and
must have the tag and delegation fields specified...
(cert
(cert-type def)
(issuer (name K1 alice))
(subject (name K2 sam mother))
<validity fields>...
)
(cert
(cert-type auth)
(issuer K1)
(subject (name K2 sam mother))
(tag (read-file foo))
(propagate)
<validity fields>...
)
Cheers,
Ron
==============================================================================
Return-Path: <owner-spki@c2.net>
X-Authentication-Warning: blacklodge.c2.net: majordom set sender to owner-spki@c2.org using -f
X-Sender: cme@cybercash.com
Date: Thu, 20 Nov 1997 00:47:29 -0500
To: spki@c2.net
From: Carl Ellison <cme@cybercash.com>
Subject: Quick Survey: name certificate syntax
Mime-Version: 1.0
Sender: owner-spki@c2.net
Precedence: bulk
- -----BEGIN PGP SIGNED MESSAGE-----
I would like a quick response from list participants. What is your
preference between the two options described here? I'm planning to submit
the next draft tonight and would like it to include the more popular form.
For the sake of simplifying the explanation of certificate meaning and
cleaning up the reduction engine a little, I've been pretty well convinced
by Ron Rivest's SPKI programmers to separate name certificates out from
authorization certificates. The difference is that a name certificate is
always (tag (*)) [and by the stop-at-key rule, (propagate)].
If these are separate, they can have their own syntax. The two candidates
are:
cert
(issuer (name <prin> <name>))
(subject ...)
(tag (*))
<validity fields>
)
as in the current draft, and:
(name-cert
(issuer <prin>)
(name <name>)
(subject ...)
<validity fields>
)
which is closer to the original draft and something a number of people asked
me for in Memphis.
The first form has the advantage that it reflects the form of the
intermediate state during name string reduction. That is, one expresses a
name certificate internally as
<issuer,subject,validity>
where issuer and subject are SDSI names (or raw keys). So, the first form's
issuer is used intact here, while the second form's issuer,name are combined
to make this reduction tuple.
I'm easy on this. I would like to hear opinions from the group -- hopefully
today.
Thanks,
Carl
- -----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQCVAwUBNHPO7xN3Wx8QwqUtAQEK3wQAiqRSKkSmL+VQLwk3gpYUFgcddfLg6u5W
mFcrIs36mvl6G/3zpW0YxtRdAxA5o2huBbCmHds9kZ5a9IMHo8G8bBLkpYIxwT+P
cA446potLRWEv7fEw8LDqlSl4YGE8oJAFSOoPe/oubOORjn4Jzn0Zfx9z4JmmgOQ
wk4a3GUKPCk=
=xHdG
- -----END PGP SIGNATURE-----
+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+
------- End of forwarded message -------
Follow-Ups: