[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
For complicated policy decisions where group membership will not suffice to
grant authorization (e.g., remote online operation of scientific instruments),
more complicated mechanisms are needed. For example, I might need certificates
to certify training, to certify payment, and to certify a time reservation to
get a certificate to unlock the machine at the appointed time.
Now, suppose I am missing one. How do I know which it is, and where to get it?
Will I have to spend my life tracking down certificates so I can get my job
done? Such a spectre kind of frightens me. I think some sort of mechanism for
doing all these things has to go along with the SPKI/SDSI proposal or else it
will end up making life more complicated. Have we just ended up by replacing the
X.509 CA mechanism with a more complicated authorization certificate directory?
Maybe we need something like an OCP (obtain certicifate pointer) that will list
the URLs that issue the required certificates so it can all be done
automatically. So, the resource is contacted and sends the OCP to the requestor.
The requestor('s proxy) contacts the URLs to check on his certificate store. The
actual requestor may have to be bothered to answer some questions to obtain new
certificates, but hopefully this is minimized. Then the correct certificate
bundle is presented back to the resource.
Excellent questions, and an important ones for making these systems
workable in practice.
There is obviously some negotiation that must take place between the
requestor and the server so that the server can end up having the
certificates it needs to see that the request is appropriately
authorized. The requestor probably doesn't want to give the server
all of its certificates a priori, since there is privacy loss there.
But the requestorr may not even know a priori what is on the ACL. Furthermore,
some of the certificates needed may be available from third parties---who
should go get them? In SDSI (see the original paper from my web page),
the requestor makes a request, the server can deny it but tell the
requestor what group membership is needed, and the requestor can repeat
the request with appropriate group membership certificates. I think that
this sort of approach is likely to be the most workable in practice...
Does this make sense?