[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Adding/subtracting permissions

It is certainly the case that some applications may have weird 
specifications that are outside the scope of that the standard
*-forms can handle.  For your oddball case, you can just issue the tags
for the days one at a time, instead of having a *-form to 
give you an expressive way to represent them all at once.  Then the
intersection rule is the trivial one (equality).

Ron Rivest

From: Bryce <bryce@digicash.com>
Sender: owner-spki@c2.net
Precedence: bulk

Thank you, Ron Rivest, for your clarifying explanation of tags as

I'm still not sure that we can prescribe a truly useful general
system for tag-intersection, though.

What if I want to issue a cert saying that Hal has the (delegatable)
authority to telnet to highlab.zooko.com on any odd-numbered day of
the month, and then Hal wants to issue a cert delegating his 
"odd-day telnet" capability to Carl, except he will only allow Carl 
to use this capability on prime-numbered days of the month?

Sounds like to me that Hal and I and the sysadmin of
highlab.zooko.com are all going to have to agree on our own custom
tag-meanings and accompanying tag-intersection-rules.

If this is the case, then the tag-intersection rules that we are
thinking of here will have to take the role of "default" or
"suggested" rules, rather than official, general specifications.

Perhaps they should even be published separately from SPKI itself.



P.S. Of course I _could_ issue a cert consisting of 16 even-numbered 
"allowed-on-this-date" tags and Hal could issue a delegation cert 
consisting of 11 prime-numbered "allowed-on-this-date" tags, and 
Ron's generic tag-intersection rule would correctly handle this, 
but I don't think that this will apply generally.  What if I want to
allow something on even-numbered _minutes_ of the month?

Disclaimers follow:  I am not a cypherpunk.  NOT speaking for 
DigiCash or any other person or organization.  No PGP sig follows.