[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: propagation control


Let me start the discussion of this issue.

At 01:23 AM 4/21/97 -0400, Carl Ellison wrote:
>So in Memphis, I suggested allowing the syntax
>(propagate true)
>(propagate false)
>(propagate <SDSI-name>)
>where the last form would give the set of people who, as issuers, have 
>permission to propagate through this certificate.
>I think this is very powerful and probably gives all the control you'd ever 
>want to have, but it is a definite complication in 5-tuple evaluation.

This may be a non-issue, in which case I'm really sorry I raised it.

The cert of which this is a part can be thought of as:

	(issuer K_me)
	(subject G1)
	(propagate G2)

where G1 and G2 are group definitions.

If G1 = G2 then this could have used just (propagate).

If they're different, you've issued in effect two certificates:

	(issuer K_me)
	(subject (and G1 G2))


	(issuer K_me)
	(subject (minus G1 (and G1 G2)))
	(propagate false)

- -----------

but we don't allow logical operations on groups, especially not
the (minus ..) operator, and we're not likely ever to
allow those.

Of course, the second cert could really be

	(issuer K_me)
	(subject G1)
	(propagate false)

because there's no crime in having multiple certs valid for the
same permission.

If we don't allow such propagation control, the issuer can still
do what he wants -- only it might take some more careful group

- ---------

So, my take is not to allow (propagate <group-name>), on the 
theory that this would apply only to a very small set of cases
and the issuer in those cases could do other things.

 - Carl

Version: 2.6.2


|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |

Follow-Ups: References: