[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Other *-forms for dates and times, and love

To summarize, then, mostly for my sake:

1.  As Ron pointed out (thanks for reminding us of something that seems 
too easy to forget), certificates only grant privileges; they can't take
them away.  That's because if I don't like a cert, I don't have to present

2.  As I have been saying, delegation grants privileges, but only to the
extent that the grantor has them to grant.  That's because the issuer/verifier
has the final say on what gets delegated.  You can give anyone permission to
read my private mail, but if they have to get through me to do it, I don't
have to honor that permission, and if I haven't expressly given you permission
to delegate that, I won't.

3.  Therefore, certificate chains are evaluated by: 
  a) establishing a chain(or mesh) of certificates from the verifier to the
     supplicant.  This is a mechanistic process of matching issuer and subject
  b) taking the intersection of all privileges granted in each unique chain
     in the mesh.  If any chain evaluates to the requested privilege, it is

4.  Evaluating the intersections is primarily up to the
issuer/verifier, since the privileges are expressed in a language known
to him/her/it.  The important thing to note is that the language and
its meaning are more significant than the logic, since they will
determine the set expansions implied by the expressions.


Brian Thomas, CISSP - Distributed Systems Architect  bt0008@entropy.sbc.com
Southwestern Bell                                    bthomas@primary.net
One Bell Center,  Room 34G3                          Tel: 314 235 3141
St. Louis, MO 63101                                  Fax: 314 235 0162