[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: single <auth> per cert (was Re: "auth" --> "tag" ?? )

At 04:50 PM 4/1/97 -0800, Hal Finney wrote:
>This would imply that there is no way for an automated process to
>perform the chain collapse unless it was armed with some understanding
>of the meaning of the auth tags, sufficient to identify what it meant
>to intersect them.

That is correct.  Perhaps I did a poor job in the I-D explaining this.

There are three ways to intersect tags within the 5-tuple reduction code in a 
verifier's software:

1)	(no effort): if two tags are identical, their intersection is obvious.  
Barring any other specification for a given tag, if they aren't identical, 
they don't intersect.

2)	(small effort): the programmer of the verifying software tells his code 
(his 5-tuple reducer) how to order the parameters of tags which his 
application cares about.  Some parameters make tagA < tagB if tagA has the 
parameter and tagB doesn't.  Some tags can be ordered (e.g., alphabetic 
sorting, numeric sorting; descending, ascending).  Some tags become more 
explicit (therefore lesser) by extension (as in file names).  In this case, 
if tagA is < tagB on all fields, then the intersection is tagA.  This set of 
rules covers many cases of interest and may be all the programmer needs.

3)	(larger effort): failing (1) and (2), the programmer would have to write 
(or snarf) a program to compare tag fields.  This is where PolicyMaker comes 
in.  Hopefully, this will happen only rarely, but we're sure it will happen 
at some point, so we make room for it.

 - Carl

|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |