[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Java programs, etc.

To: rivest@theory.lcs.mit.edu (Ron Rivest)
Subject: Re: Java programs, etc.
From: Bryce <bryce@digicash.com>
Date: Tue, 08 Apr 1997 21:25:56 +0200
Cc: bt0008@entropy.sbc.com, spki@c2.net, blampson@microsoft.com
In-Reply-To: Your message of "Tue, 08 Apr 1997 13:56:32 EDT." <199704081756.AA27181@swan.lcs.mit.edu>
Reply-To: bryce@digicash.com
Sender: owner-spki@c2.net


> I don't 
> understand how "custom intersection algorithms" are supposed to be
> authorized, and how they are supposed to work.



Perhaps I don't understand the problem.  Let me test my understanding
by making up a simple example.


What if you see a certificate:

	(certificate
		(issuer twirlip)
		(subject okozo)
		(tag (may-eat-the-wigglies 12 blue)))

and you see another certificate:

	(certificate
		(issuer okozo)
		(subject alice)
		(tag (may-eat-the-wigglies 0 blue)))


Now, if you are considering using this certificate chain as an 
authorization allowing Alice to actually _do_ something, then
presumably you already have a certificate like:

	(certificate
		(issuer self)
		(subject twirlip)
		(tag (may-give-out-wiggly-eating-auths)))


and you already have talked to Twirlip and agreed on what this
authorization means.  If it helps you, you might want to make
yourself a certificate

	(certificate
		(issuer self)
		(subject "http://www.self.com/WigglyEating.PM"))


Um..  Or is that

	(certificate
		(issuer self)
		(subject (tag may-give-out-wiggly-eating-auths))
		(tag (PM-program "http://www.self.com/WigglyEating.PM")))

Or maybe just add the PM-program URL to your original cert, making it

	(certificate
		(issuer self)
		(subject twirlip)
		(tag
			(name may-give-out-wiggly-eating-auths)
			(URI "http://www.self.com/WigglyEating.PM")))


???


Anyway...  You can make a certificate which reminds you (and
incidentally informs others) of what the tag means.


But let's say you have _not_ made any deals with Twirlip, and you 
do _not_ operate a server (like "wigglies.self.com") which needs to
decide on Alice's authorization.  Instead you are an ISP who provides 
net access and public key infrastructure for self.com.  You have never 
heard of Twirlip before but you would like, if possible, to collapse
this two-certificate chain into a single certificate before passing
it on to self.com.


This is the problem we are faced with, right?  So you need to figure
out what the two issuers meant with their respective tags.



Please excuse me if I am being ignorant.


Regards,

Zooko of the Mists

Disclaimers follow:  I am not a cypherpunk.  NOT speaking for 
DigiCash or any other person or organization.  No PGP sig follows.

References:

Java programs, etc.

From: rivest@theory.lcs.mit.edu (Ron Rivest)

Prev by Date: Re: Adding/subtracting permissions
Next by Date: Java programs, etc.
Prev by thread: Re: Java programs, etc.
Next by thread: Re: Java programs, etc.
Index(es):
- Main
- Thread