[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Global name spaces for tags

To: spki@c2.net
Subject: Global name spaces for tags
From: rivest@theory.lcs.mit.edu (Ron Rivest)
Date: Thu, 03 Apr 97 10:53:27 EST
Cc: blampson@microsoft.com
Sender: owner-spki@c2.net


SPKI/SDSI will have some standard "suggested" names for some tags, but
any application writer will be free to choose his own.

There is little likelihood of difficulty or security breaches due to a lack
of a globally managed name-space, unless 
	(a) two issuers use overlapping sets of tags
	(b) some individual gets authority from each issuer
	(c) that individual delegates some of this authority from
	    a tag in the intersecting set of tags, and doesn't intend
            to delegate it for both issuers.

It is easy for an issuer to protect himself against this by making his
tags unique.  He may use a URI for the tag name, or otherwise make up
a sufficiently unique tag.

	(tag (tag-id 89325567130078)
             (spend (account 3456) (amount (* range numeric 0 1000))))

here the tag-id is a large-enough randomly-chosen value.

In most cases, the tag already contains enough information to make it
unique.  For example, an "ftp" permission tag usually will contain the
machine name, and a "spend" permission tag will usually contain the
account number. 

I think we are better off without trying to co-ordinate tag-writing in
more than a loose fashion.  

The only places where some coordination is perhaps needed is for
interoperability, where a number of servers are providing access, and
some standard access software needs to know if it is read access, write
access, or whatever.  But I think that this can evolve as needed, without
trying to mandate standards.

Ron Rivest

Prev by Date: Certificate Cancellation Notice
Next by Date: Re: majordomo information
Prev by thread: Re: Certificate Cancellation Notice
Next by thread: Certificate Cancellation Notices (CCN)
Index(es):
- Main
- Thread