[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Member-of-issuer, name, member --> empty tag




I suggest that we eliminate the "member-of-issuer", "name", and "member"
objects and replace them by an empty tag.  ("tag" is the suggested
replacement for "auth").  That is, the tag field itself is mandatory, but
it would have no parameters:
	( tag )

The tag field acts as a restriction on the authority delegated to the
subject.  For example,
	( tag ( telnet microsoft.com billg ) )
delegates ONLY the authority to login to microsoft.com as billg.  

An empty tag means no restriction, and thus delegates ALL authority to
the subject.  (As Carl likes to say, this is the identity for the tag
algebra; composing a certificate with an empty tag with a certificate with
a non-empty tag yields a certificate with the non-empty tag.)  

The "member of issuer" functionality would then be accomplished with
a certificate looking like:
  ( certificate
    ( issuer ( basic-ref <key-or-key-hash> group-name ) )
    ( subject S )
    ( tag )
  )
where S is a public key or a key-hash or a reference (basic, general, or
floating).  This declares S to be a member of the issuer's group "group-name".

Note that the issuer could make S a member of the group "group-name" just for
the purposes of telnet access specifying a non-empty tag:
  ( certificate
    ( issuer ( basic-ref <key-or-key-hash> group-name ) )
    ( subject S )
    ( tag ( telnet microsoft-com billg ) )
  )

Similarly, the issuer can declare that S is the value (or one of the values)
of the name "name" in the issuer's name space by issuing a certificate
of the form
  ( certificate
    ( issuer ( basic-ref <key-or-key-hash> name ) )
    ( subject S )
    ( tag )
  )
That is, being a member of a group and being the value of a name are not
really distinguished.  (And I think that this is appropriate. Once we have
delegation, it is probably pointless to try and force a distinction between
a "group" and an "individual".)

Note that, as above, you can have a nonempty tag to issue give just
some restricted authorization.  For example, if you have a temporary
laptop key that you only want to use for logging in, you can give it
appropriate authority with a restricted as above with just telnet
authority:
  ( certificate
    ( issuer ( basic-ref <key-or-key-hash> name ) )
    ( subject my-laptop-key )
    ( tag ( telnet my-work-computer.com my-name ) )
  )

Thus to summarize: I propose that we use an empty tag field:
	( tag )
to indicate transferring _all_ authority to the subject.  This captures the
semantics of "member-of-issuer", "member", and "name" perfectly well, and
is consistent with other uses of tag in that the tag field specifies a
restriction on authorization, and an empty tag field specifies no restriction.








Follow-Ups: