[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Clever delegation ??

To: "Brian M. Thomas" <bt0008@entropy.sbc.com>, jar@ornl.gov
Subject: Re: Clever delegation ??
From: Bill Frantz <frantz@netcom.com>
Date: Mon, 7 Apr 1997 08:39:24 -0800
Cc: spki@c2.net
In-Reply-To: <199704071530.KAA26764@entropy.sbc.com>
Sender: owner-spki@c2.net

At 7:30 AM -0800 4/7/97, Brian M. Thomas wrote:
>I apologize in advance if I'm just muddying the water here, but it still
>looks to me as though the thing we're trying to model in chain reduction
>is necessarily intersection.  Therefore, intersection is the only proper
>means of accomplishing it.  This follows from the basic intent that no
>principal can grant permissions which it does not possess.  Doing unions
>would only be meaningful where the same issuer grants multiple permissions
>to the same subject, and in this case, again there seems to be no question
>about how it must be done.

My principle issue is that people who build certs in the system must
understand how the delegation logic works.  When that logic is simple, I
don't see an issue.  As it gets more complex, then I think we have to think
about how we educate the users so they don't make mistakes.  That's all.


-------------------------------------------------------------------------
Bill Frantz       | I have taken a real job at | Periwinkle -- Consulting
(408)356-8506     | Electric Communities as a  | 16345 Englewood Ave.
frantz@netcom.com | capability security guru.  | Los Gatos, CA 95032, USA

References:

Re: Clever delegation ??

From: "Brian M. Thomas" <bt0008@entropy.sbc.com>

Prev by Date: Re: Comments on I-D requirement document
Next by Date: Re: Clever delegation ??
Prev by thread: Re: Clever delegation ??
Next by thread: Re: Clever delegation ??
Index(es):
- Main
- Thread