[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPKI certificates as "enhanced" signatures?


	I may have let references to this slip from the draft, but the notion of 
such meaning has been included in our discussions and I believe it's a fully 
appropriate way to use SPKI certificates.

	Specifically, the original discussion included the ability to say arbitrary 
things about a keyholder.  If nothing else, the comment field can be used 
for that purpose, but as you point out the tag field can also be used if you
want to define a machine-processable description.

	Between draft -00 and -01, we extended subjects to include objects other 
than keys, including keyholders, documents and programs, specifically to allow 
this kind of extended signature.

	This steps on the toes of PICS, to some extent, but we decided to continue 
rather than force all statements about documents to be in the PICS form 
(numerical ratings).  We're not trying to replace PICS but rather to live
beside it.

 - Carl

At 02:17 PM 5/2/97 +0100, Ian Bell wrote:
>(Sorry if this has already been discussed, dismissed,... etc or if I've
>overlooked the obvious!)
>The SPKI draft appears to be solely concerned with the case where an
>issuer wishes to grant some authority to a subject. Another use of
>certificates is where an issuer merely wishes to make a "statement"
>about a subject. Such a certificate may perhaps confer no other
>meaning/authority than the statement itself; it may not need a validity
>period - just a timestamp. 
>Such certificates could be used as simple signatures of an object, but
>the flexibility of the certificate <tag> fields would allow much more
>information to be conveyed; perhaps indicating the purpose of the
>For example, company email could be "authorized" as official by signing
>it with a certificate such as:
>  <issuer> some.company.com 
>  <subject> hash of outgoing email
>  <tag> official-company-email
>  <validity> timestamp 
>Is this use of certificates outside the charter for SPKI? It would seem
>that very little change in syntax would give SPKI certificates much
>broader application. All that is really required is a validity field,
>perhaps "Valid-at", that can be used in situations where a timestamp is
>more relevant than Not-before or Not-after.
>Also, consideration should be given to defining a MIME type for SPKI
>certificates (application/spki-certificate ?) so that they may be
>transferred properly via email. If SPKI certificates were to be used as
>"enhanced" signatures, the MIME type would allow their use in signed
>messages conforming to RFC1847. 
>Ian Bell                                           T U R N P I K E  Ltd

|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |