[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: single <auth> per cert (was Re: "auth" --> "tag" ?? )

 A million monkeys operating under the pseudonym 
 "Steen Larsen <steen.larsen@ed.nce.sita.int>" typed:
> Bryce wrote:
> > I think this is correct Hal, and I think that this is the "way it
> > has to be".  If I publish a cert asserting that you have my
> > permission to do X, and then you publish a cert asserting that Carl
> > has _your_ permission to do X, then the question of whether Carl has
> > _my_ permission to do X is dependent on what you and I mean by "X",
> > and specifically what you and I mean by intersecting two
> > "X"-permissions.
> > 
> > The I-D, and Ron Rivest's ideas for tag intersection, are _some_
> > ways of computing this intersection, but in _general_ I think the
> > issuer(s) have to determine how to do it for _their_ certs.
> > 
> Yes, issuers may decide how to do it for their certs. However, I think
> we need some standard tags and a generic extension mechanism. Something
> like MIME where a body like IANA is responsible for registering
> extensions.

Hm.  It still seems to me that the natural thing to do, in
keeping with the SPKI precepts, is to declare that there are no
global meanings of tags, that trying to _make_ global meanings of
tags is going to get you into a can of worms, and that you can
accomplish what you want anyway by using local meanings of tags.

Note that a great way to publish what your tag means to you is
to publish a cert containing a URI of a tag definition...

So maybe what _we_ should do _now_ is to define the tag for
defining tags, as part of SPKI, and then define some _example_
tags which are not really part of the SPKI spec, but which give
them (and us!) an idea of how tags can be used.



I am not a cypherpunk.  NOT speaking for DigiCash or any other
person or organization.  No PGP sig follows.

Follow-Ups: References: