[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: delegation question
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Bob" == Bob Jueneman <BJUENEMAN@novell.com> writes:
Bob> Consider a gedanken experiment. Suppose Bob issues the certificate
Bob> to Cliff, valid for one year. Then a week later, Bob leaves to take
Bob> a job elsewhere, and his company revokes Bob's certificate
Bob> (PKIX/X.509 or SPKI -- it doesn't matter). Should that invalidate
Bob> Cliff's certificate?
Bob> No, because Cliff is not dependent upon Bob's on-going patronage
Bob> (I'll assume for the sake of argument, at least), but rather on
Bob> Bob's having validly exercised a role granted/delegated to him by
Bob> their common employer. The same reasoning presumably applies to a
Bob> certificate issued by Alice.
Bob> It may be convenient, and certainly easier to verify the correctness
Bob> of the certificate chain if the validity period of a certificate
Bob> issued to a subordinate entity is a proper subset of the validity
Bob> period of the issuing authority, but it isn't absolutely required.
Bob> Sufficient, in other words, but not necessary.
Bob> In both the PKIX and SPKI environments, it may be useful to limit
Bob> the duration of time in which authority can be delegated, but
To implement this in SPKI, my impression is that is requires some kind of
secure timestamp put in the certificate that is issued to Cliff by Alice to
prove that Alice made the certificate during her week of authority.
Right now, the verify need trust only its own clock for validity checks.
Is there another way to get the behaviour that Bob describes without having
the verifier trust other clocks?
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | I do IPsec policy code for SSH <http://www.ssh.fi/>
Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>.
ON HUMILITY: To err is human, to moo bovine.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBNJcqa6ZpLyXYhL+BAQF+dQL+NZwk7eOMiJ37OuVSsaodSu3ZTCCrlQdD
8gW5rD1Vfc/l/9BkACuCFGeLnQ71ifFOyEnkjGl7sJznWgohho2uPh8Yv7Co/dgr
PCw6y8GM+BYpZdZu9+IDYXDZUgZ9+gFS
=meuU
-----END PGP SIGNATURE-----
References: