[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: single <auth> per cert (was Re: "auth" --> "tag" ?? )
At 04:50 PM 4/1/97 -0800, Hal Finney wrote:
>This would imply that there is no way for an automated process to
>perform the chain collapse unless it was armed with some understanding
>of the meaning of the auth tags, sufficient to identify what it meant
>to intersect them.
That is correct. Perhaps I did a poor job in the I-D explaining this.
There are three ways to intersect tags within the 5-tuple reduction code in a
verifier's software:
1) (no effort): if two tags are identical, their intersection is obvious.
Barring any other specification for a given tag, if they aren't identical,
they don't intersect.
2) (small effort): the programmer of the verifying software tells his code
(his 5-tuple reducer) how to order the parameters of tags which his
application cares about. Some parameters make tagA < tagB if tagA has the
parameter and tagB doesn't. Some tags can be ordered (e.g., alphabetic
sorting, numeric sorting; descending, ascending). Some tags become more
explicit (therefore lesser) by extension (as in file names). In this case,
if tagA is < tagB on all fields, then the intersection is tagA. This set of
rules covers many cases of interest and may be all the programmer needs.
3) (larger effort): failing (1) and (2), the programmer would have to write
(or snarf) a program to compare tag fields. This is where PolicyMaker comes
in. Hopefully, this will happen only rarely, but we're sure it will happen
at some point, so we make room for it.
- Carl
+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+
References: