[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: delegation question


>>>>> "Bob" == Bob Jueneman <BJUENEMAN@novell.com> writes:
    Bob> Consider a gedanken experiment. Suppose Bob issues the certificate
    Bob> to Cliff, valid for one year.  Then a week later, Bob leaves to take
    Bob> a job elsewhere, and his company revokes Bob's certificate
    Bob> (PKIX/X.509 or SPKI -- it doesn't matter).  Should that invalidate
    Bob> Cliff's certificate?

    Bob> No, because Cliff is not dependent upon Bob's on-going patronage
    Bob> (I'll assume for the sake of argument, at least), but rather on
    Bob> Bob's having validly exercised a role granted/delegated to him by
    Bob> their common employer.  The same reasoning presumably applies to a
    Bob> certificate issued by Alice.

    Bob> It may be convenient, and certainly easier to verify the correctness
    Bob> of the certificate chain if the validity period of a certificate
    Bob> issued to a subordinate entity is a proper subset of the validity
    Bob> period of the issuing authority, but it isn't absolutely required.
    Bob> Sufficient, in other words, but not necessary.

    Bob> In both the PKIX and SPKI environments, it may be useful to limit
    Bob> the duration of time in which authority can be delegated, but

  To implement this in SPKI, my impression is that is requires some kind of
secure timestamp put in the certificate that is issued to Cliff by Alice to
prove that Alice made the certificate during her week of authority.

  Right now, the verify need trust only its own clock for validity checks. 
  Is there another way to get the behaviour that Bob describes without having
the verifier trust other clocks?

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |   I do IPsec policy code for SSH <http://www.ssh.fi/>
 Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
 Corporate: <A HREF="http://www.sandelman.ottawa.on.ca/SSW/">sales@sandelman.ottawa.on.ca</A>. 
	ON HUMILITY: To err is human, to moo bovine.

Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface