[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cme@cybercash.com: Quick Survey: name certificate syntax]

------- Start of forwarded message -------

Another option would be to leave the basic format the same, but to have
a "cert-type" field with a value of "def" or "auth", where "def" is for
a name-cert, and "auth" is for an authorization.  The requirements would
then be that a def could not have a tag field (it is implicitly (tag (*))),
and could not have a delegate field (it implicitly allows delegation),
whereas an auth must have a key (with no names) as an issuer, and 
must have the tag and delegation fields specified...

	(cert-type def)
	(issuer (name K1 alice))
	(subject (name K2 sam mother))
	<validity fields>...
	(cert-type auth)
	(issuer K1)
	(subject (name K2 sam mother))
	(tag (read-file foo))
	<validity fields>...

Return-Path: <owner-spki@c2.net>
X-Authentication-Warning: blacklodge.c2.net: majordom set sender to owner-spki@c2.org using -f
X-Sender: cme@cybercash.com
Date: Thu, 20 Nov 1997 00:47:29 -0500
To: spki@c2.net
From: Carl Ellison <cme@cybercash.com>
Subject: Quick Survey: name certificate syntax
Mime-Version: 1.0
Sender: owner-spki@c2.net
Precedence: bulk


I would like a quick response from list participants.  What is your 
preference between the two options described here?  I'm planning to submit 
the next draft tonight and would like it to include the more popular form.

For the sake of simplifying the explanation of certificate meaning and 
cleaning up the reduction engine a little, I've been pretty well convinced 
by Ron Rivest's SPKI programmers to separate name certificates out from 
authorization certificates.  The difference is that a name certificate is 
always (tag (*)) [and by the stop-at-key rule, (propagate)].

If these are separate, they can have their own syntax.  The two candidates 

 (issuer (name <prin> <name>))
 (subject ...)
 (tag (*))
 <validity fields>

as in the current draft, and:

 (issuer <prin>)
 (name <name>)
 (subject ...)
 <validity fields>

which is closer to the original draft and something a number of people asked 
me for in Memphis.

The first form has the advantage that it reflects the form of the 
intermediate state during name string reduction.  That is, one expresses a 
name certificate internally as


where issuer and subject are SDSI names (or raw keys).  So, the first form's 
issuer is used intact here, while the second form's issuer,name are combined 
to make this reduction tuple.

I'm easy on this.  I would like to hear opinions from the group -- hopefully



Version: PGP for Personal Privacy 5.0
Charset: noconv


|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
------- End of forwarded message -------