[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: serial numbers // push/pull CRL's



To test my understanding & make an application, I writeup a second
scenario. Is this largely equivalent in its use of the design properties
for distributing, replacing, withdrawing and enforcing authorizations?

I am multicast group, and client workstations interact with me
via IGMP to gain access to the stream(s) of data. Each source of
a stream issues a certificate, and publishes it to the group. The IGMP
responder local to each client honors these certificates
and enforces the authorization requirement expressed to control
client access based on group membership. Each source can issue a CRL, which
is distributed to the group. A Client can issue a group-membership 
certificate also (naming denied streams), and communicate it to the
group via IGMP, and expect the router(s) to
control forwarding of streams at the earlyist point in the multicasting
process. A Client can revoke its stream-deny certificate by publishing
once to the multicast group, enabling the routers to reconfigure
relaying characteristics (if affected).

One query.

Can a source (e.g. HotSoft) issue a second certificate which differs
as to the group which it lists, without first issuing a CRL.

if G={a,b,c} in Hotsoft's first certificate, and G={a,b} in the second,
does c gain access following receipt by the group of G authorized
by the second certificate? If the second replace the first, presumably
the group identifier is the linkage, and issuing date is the
signal to replace.

 
Peter.


>    Rather, the scenario I imagine is more like the following:
>
>	I am an internet service provider.  I also support the web pages for
>        company HotSoft and make access decisions for those pages based on
>        certificates issued by HotSoft.  
 

Follow-Ups: