[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SPKI certificates as "enhanced" signatures?

(Sorry if this has already been discussed, dismissed,... etc or if I've
overlooked the obvious!)

The SPKI draft appears to be solely concerned with the case where an
issuer wishes to grant some authority to a subject. Another use of
certificates is where an issuer merely wishes to make a "statement"
about a subject. Such a certificate may perhaps confer no other
meaning/authority than the statement itself; it may not need a validity
period - just a timestamp. 

Such certificates could be used as simple signatures of an object, but
the flexibility of the certificate <tag> fields would allow much more
information to be conveyed; perhaps indicating the purpose of the

For example, company email could be "authorized" as official by signing
it with a certificate such as:

  <issuer> some.company.com 
  <subject> hash of outgoing email
  <tag> official-company-email
  <validity> timestamp 

Is this use of certificates outside the charter for SPKI? It would seem
that very little change in syntax would give SPKI certificates much
broader application. All that is really required is a validity field,
perhaps "Valid-at", that can be used in situations where a timestamp is
more relevant than Not-before or Not-after.

Also, consideration should be given to defining a MIME type for SPKI
certificates (application/spki-certificate ?) so that they may be
transferred properly via email. If SPKI certificates were to be used as
"enhanced" signatures, the MIME type would allow their use in signed
messages conforming to RFC1847. 

Ian Bell                                           T U R N P I K E  Ltd