[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: delegation question

To: "Stephen C. Koehler" <koehler@securecomputing.com>
Subject: Re: delegation question
From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Date: Tue, 16 Dec 1997 20:11:23 -0500
Cc: spki@c2.net
In-Reply-To: Your message of "Tue, 16 Dec 1997 13:19:55 CST." <199712161919.NAA17238@sente.sctc.com>
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Stephen" == Stephen C Koehler <koehler@securecomputing.com> writes:
Stephen> Bob has been delegated the authority to sign certificates
Stephen> allowing employees to enter his company's building. He will be
Stephen> on vacation for a week, so he delegates his building entry
Stephen> authority, with delegation, to Alice for a period of one week.

Okay.

Stephen> During the week, Alice signs a building entry certificate for
Stephen> Cliff. It seems that Cliff's authority to enter the building
Stephen> will expire with Alice's certificate. Is there a way to make it
Stephen> persist? I can't see how to do this with any combination of
Stephen> capability and name certificates. Am I missing something?

It is appropriate that one can not delegate more authority than one
receives. There are, I think, some models of authority that allow this (%)

My feeling is that Alice needs to send Bob a list of certificates she has
authorized for his long-term approval.
I think this was discussed last year, extensively. Where are the list
archives? We should have a reference on the IETF web page for the group.

The alternative is that Alice's certificate is not controlled by the
validity period, but rather by an online check, which Bob has setup.

(%) I went to high school in Ontario. We have 13 grades. One effect is that
most students are 18+ in their last year. Aside from the drinking age (18 is
legal across the river), people who were 18 were allowed to act on their own,
without *any* parental consent. [they are 18] (There are limited rules for 16
year olds)
However, the 18 year old needed to get their parents to sign a form saying
that they could sign their own notes. ("self-signed note signing note")
However, since the student was 18, the student could sign that form. To
further make the situation stupid, a student had to still submit a note from
their "guardian" to justify absenses. I once stood in line at the attendance
office while a student in front of me, newly turned 18, argued with the
attendance person that they were only 5 minutes late. I explained the rules
to them, and they expressed outrage that it made no sense. Two signatures
later, it was resolved.

:!mcr!: | Network and security consulting/contract programming
Michael Richardson | I do IPsec policy code for SSH <http://www.ssh.fi/>
Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>.
ON HUMILITY: To err is human, to moo bovine.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNJcmuaZpLyXYhL+BAQFugwL/aUjVPBivdguzsZ6kAkcdbcit2a763K26
yryvt8tODqmAR+x95/wxd8gDPT9Dz0k4FoEpEm1b3LSMmDAurSQTxIrANBTnbCFV
+mObfrr4SWyXaWYXjIVRdrrGKjkkbLDd
=/U02
-----END PGP SIGNATURE-----

References:

delegation question

From: "Stephen C. Koehler" <koehler@securecomputing.com>

Prev by Date: Re: delegation question
Next by Date: Re: delegation question
Prev by thread: delegation question
Next by thread: Re: delegation question
Index(es):
- Main
- Thread