[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Multi-Tag-Cert Tag Creation and Validation



As my original example did not contain multiple chains leading to a common
authority (the verifier), I left out an important operational step when I
said

>    In general, we collect only those tags whose tag-id appears in
>    each remaining taglist, resulting in a set for each such tag-id.
>    On each tagset (single tag-id) we conduct tag-wise intersection,
>    reducing each set to a single tag.

We really need to take the resulting taglist-mesh and perform the above
(arm-waving) operation on each chain in the mesh, resulting in a CRCert-
like taglist for each chain.  Wherever a tag-id appears in more than one
chainwise-taglist, we should select the tag with the GREATEST authority,
not the LEAST authority.

A quick illustration:

    Root Principal PR delegates "spend-to-1000" to PA, and "spend-to-5000"
    to PB.  A principal PC has KPC certified by each of PA and PB.

    PC, submitting to Root PR a request to spend 3000, must be authorized.

>____TONY____  (speaking for myself, as if)