[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tag Conditionals (was Re: Delegation and Policy)

Brian Thomas wrote:
>     Your example of policy would likely solve the problem, but
>inelegantly, it seems.  A more straightforward solution would involve
>the ability to grant only the ability to grant or delegate a privilege
>without being able to make use of it directly.

I was looking for that straightforward solution, and had attempted a
construct of the form:

TZ:   (tag (drivers-licence (* set (capacity may-issue has-been-issued))).

I believe Ron Rivest had pointed out that, to wit, a chain-validation should
fail if the result still contains *-forms.  That is, the "final subject"
certificate(s) must have constant parameters.  But perhaps I am wrong, and
at least he meant that a certificate query of the form

    Is cert C valid to authorize X? (for X constant)

must necessarily intersect to a constant to be valid.  In either case, the
license examiner granted tag TZ could certify my key KI with the tag:

TI:   (tag (drivers-licence (capacity has-been-issued))

And now TI = subset(TZ).

>I also should not bring up the conflict-of-interest possibilities whereby
>someone privileged to grant a license should not be allowed to grant it
>to himself, so I won't.  This could, of course, be handled by a policy,
>and probably no other way.

Yes, this is the hard part.

Here are suggestions that would extend *-forms, in that the tags would
have parameters that refer to (and test against) values in the cert header.
They still have flaws, but maybe someone can work them out.  I think the
functionality would prove useful in lieu of full-up algorithms:

This one borrows the C-language tri-glyph contruct:

TZ:  (tag (drivers-licence
            (* set ( capacity (delegate ? may-issue : has-been-issued )))))

Here, a cert issued with "may-delegate" gives the tag allowance to continue
certifying "may-issue-license", otherwise resolves to only certifying "has-
been-issued-license".  Higher authority Y can grant Z "no-delegate" so that
Z cannot certify more license-grantors, but can grant licenses.  Maybe.

I imagine that an "intersection pre-processor" reduces the tri-glyphs to
a constant, or at least a non-conditional parameter, prior to intersection.

Another tag-embedded test could replace "delegate ?" with "SUBJECT == ISSUER ?"
as a condition on award of parameter(s).  This may prevent self-certification
(on a single key) but here we want subject <> issuer for both the delegation of
right-to-issue and non-delegation of right-to-drive. Still does not exactly
fix the problem.  Maybe some combination?

(This is fun! Do people get paid to do this? :)

(ERROR: .sig authentication failure)