[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: propagation control

To: spki@c2.net
Subject: Re: propagation control
From: Carl Ellison <cme@cybercash.com>
Date: Mon, 21 Apr 1997 01:57:54 -0400
In-Reply-To: <3.0.1.32.19970421012352.00f93498@cybercash.com>
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----

Let me start the discussion of this issue.

At 01:23 AM 4/21/97 -0400, Carl Ellison wrote:
>So in Memphis, I suggested allowing the syntax
>
>(propagate true)
>(propagate false)
>(propagate <SDSI-name>)
>
>where the last form would give the set of people who, as issuers, have 
>permission to propagate through this certificate.
>
>I think this is very powerful and probably gives all the control you'd ever 
>want to have, but it is a definite complication in 5-tuple evaluation.

This may be a non-issue, in which case I'm really sorry I raised it.

The cert of which this is a part can be thought of as:

(certificate
	(issuer K_me)
	(subject G1)
	(propagate G2)
)

where G1 and G2 are group definitions.

If G1 = G2 then this could have used just (propagate).

If they're different, you've issued in effect two certificates:

(certificate
	(issuer K_me)
	(subject (and G1 G2))
	(propagate)
)

and

(certificate
	(issuer K_me)
	(subject (minus G1 (and G1 G2)))
	(propagate false)
)

- -----------

but we don't allow logical operations on groups, especially not
the (minus ..) operator, and we're not likely ever to
allow those.

Of course, the second cert could really be

(certificate
	(issuer K_me)
	(subject G1)
	(propagate false)
)

because there's no crime in having multiple certs valid for the
same permission.

If we don't allow such propagation control, the issuer can still
do what he wants -- only it might take some more careful group
definitions.

- ---------

So, my take is not to allow (propagate <group-name>), on the 
theory that this would apply only to a very small set of cases
and the issuer in those cases could do other things.

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM1sBn1QXJENzYr45AQGbRgP/ZbfCUCkjGn4Hy02fIm0up0XqlR5/a7wx
fXhknG+kxlxSKUv0a3+WmQ9v3N6clZxdOVv4gy0j80S2ypnUIRE3jbQfHSapyzck
f9kTS9B3Jbo5r//IzqmCrB2qG/oTf5811cnkJcNvqPONZavNyHo7JKRLNUxjM1TD
1xdcvSIT92E=
=2Ub7
-----END PGP SIGNATURE-----

+------------------------------------------------------------------+
|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
+------------------------------------------------------------------+

Follow-Ups:

Re: propagation control

From: Bill Frantz <frantz@netcom.com>

References:

propagation control

From: Carl Ellison <cme@cybercash.com>

Prev by Date: Re: slides from IETF in Memphis
Next by Date: Re: Linkology proposal for SPKI/SDSI
Prev by thread: propagation control
Next by thread: Re: propagation control
Index(es):
- Main
- Thread