[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
propagation control
-----BEGIN PGP SIGNED MESSAGE-----
I raised an issue probably better left alone in Memphis.
So far, we decided to let propagation (previously called delegation) be
boolean.
RLR suggested a third option "stop-at-key". I now believe that that is the
meaning of "false". That is, if you have a cert which gives permissions to
some SDSI name but not permission to propagate, then you really mean
"stop-at-key" because otherwise the indicated key gets no permission. The
mapping from name to key involves another certificate.
- ---
So in Memphis, I suggested allowing the syntax
(propagate true)
(propagate false)
(propagate <SDSI-name>)
where the last form would give the set of people who, as issuers, have
permission to propagate through this certificate.
I think this is very powerful and probably gives all the control you'd ever
want to have, but it is a definite complication in 5-tuple evaluation.
- ----------
By contrast, we could have just the keyword
(propagate) meaning the true sense and leave it out if we want the false
sense, since this is boolean otherwise.
- -------------
How do y'all feel about this?
- Carl
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBM1r5rVQXJENzYr45AQHnJAP/YJcnorDiEtmNWM6EubuiFMrPztpol1sc
+TFOMEKzzWtMWHyexJIMevK/kGEc/5T5+SWB2K2LAq44oZaZPH0+u/EcfO+Zb86Q
BK2iwg1JF50GIY1dljXeis/dT2l0USdXu4xlf2TkSCRDh+bYGm/3INhGFcaLU2Os
3o1UEGnDVxc=
=OKtW
-----END PGP SIGNATURE-----
+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+
Follow-Ups: