[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: delegation question


At 01:19 PM 12/16/97 -0600, Stephen C. Koehler wrote:
>I'm having difficulty figuring out how SPKI solves the following problem of
>Bob has been delegated the authority to sign certificates allowing
>employees to enter his company's building.  He will be on vacation for
>a week, so he delegates his building entry authority, with delegation, to
>Alice for a period of one week.  During the week, Alice signs a building
>entry certificate for Cliff.  It seems that Cliff's authority to enter the
>building will expire with Alice's certificate.  Is there a way to make it
>persist?  I can't see how to do this with any combination of capability and
>name certificates.  Am I missing something?

This is an intriguing case.

To me, Alice is not allowed to give Cliff access beyond Alice's ability to 
delegate.  After that, Bob will have to give Cliff an extension...because 
if Alice can grant Cliff access for a year, then Alice can grant herself 
access for a year and Bob obviously didn't intend for her to have access for 
that length of time.  I think there's a simple solution, however:

If there is some other alternative Bob desires: e.g., that Alice should 
temporarily be able to assign end-user access certs that live a year, Bob is 
able to delegate to Mike (a machine and trusted by Bob not to cheat) the 
long term authority to delegate the desired end authority and grant Alice 
the authority to command Mike to issue certificates.  Alice's authority can 
be time-limited while Mike's isn't.  Mike can execute a program to check for 
the kinds of things Bob wants enforced while Alice makes decisions about who 
gets the target authority.  Mike issues the certificates using Alice's 
signed inputs (and her authorization cert) as only some of its inputs.

That latter example translates immediately into PolicyMaker of course.

 - Carl

Version: PGP for Personal Privacy 5.5.3