[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: delegation question


>>>>> "Stephen" == Stephen C Koehler <koehler@securecomputing.com> writes:
    Stephen> Bob has been delegated the authority to sign certificates
    Stephen> allowing employees to enter his company's building.  He will be
    Stephen> on vacation for a week, so he delegates his building entry
    Stephen> authority, with delegation, to Alice for a period of one week.


    Stephen> During the week, Alice signs a building entry certificate for
    Stephen> Cliff.  It seems that Cliff's authority to enter the building
    Stephen> will expire with Alice's certificate.  Is there a way to make it
    Stephen> persist?  I can't see how to do this with any combination of
    Stephen> capability and name certificates.  Am I missing something?

  It is appropriate that one can not delegate more authority than one
receives. There are, I think, some models of authority that allow this (%)

  My feeling is that Alice needs to send Bob a list of certificates she has
authorized for his long-term approval.
  I think this was discussed last year, extensively. Where are the list
archives? We should have a reference on the IETF web page for the group.

  The alternative is that Alice's certificate is not controlled by the
validity period, but rather by an online check, which Bob has setup.

(%) I went to high school in Ontario. We have 13 grades. One effect is that
most students are 18+ in their last year. Aside from the drinking age (18 is
legal across the river), people who were 18 were allowed to act on their own,
without *any* parental consent. [they are 18] (There are limited rules for 16
year olds)  
  However, the 18 year old needed to get their parents to sign a form saying
that they could sign their own notes. ("self-signed note signing note")
However, since the student was 18, the student could sign that form. To
further make the situation stupid, a student had to still submit a note from
their "guardian" to justify absenses. I once stood in line at the attendance
office while a student in front of me, newly turned 18, argued with the
attendance person that they were only 5 minutes late. I explained the rules
to them, and they expressed outrage that it made no sense. Two signatures
later, it was resolved. 

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |   I do IPsec policy code for SSH <http://www.ssh.fi/>
 Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
 Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>. 
	ON HUMILITY: To err is human, to moo bovine.

Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface