[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Other *-forms for dates and times, and love
To summarize, then, mostly for my sake:
1. As Ron pointed out (thanks for reminding us of something that seems
too easy to forget), certificates only grant privileges; they can't take
them away. That's because if I don't like a cert, I don't have to present
it.
2. As I have been saying, delegation grants privileges, but only to the
extent that the grantor has them to grant. That's because the issuer/verifier
has the final say on what gets delegated. You can give anyone permission to
read my private mail, but if they have to get through me to do it, I don't
have to honor that permission, and if I haven't expressly given you permission
to delegate that, I won't.
3. Therefore, certificate chains are evaluated by:
a) establishing a chain(or mesh) of certificates from the verifier to the
supplicant. This is a mechanistic process of matching issuer and subject
keys;
b) taking the intersection of all privileges granted in each unique chain
in the mesh. If any chain evaluates to the requested privilege, it is
granted.
4. Evaluating the intersections is primarily up to the
issuer/verifier, since the privileges are expressed in a language known
to him/her/it. The important thing to note is that the language and
its meaning are more significant than the logic, since they will
determine the set expansions implied by the expressions.
brian
Brian Thomas, CISSP - Distributed Systems Architect bt0008@entropy.sbc.com
Southwestern Bell bthomas@primary.net
One Bell Center, Room 34G3 Tel: 314 235 3141
St. Louis, MO 63101 Fax: 314 235 0162
Follow-Ups: