[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: definition of cert - trust in SPKI certs

To: Stef Hoeben <Stefan.Hoeben@esat.kuleuven.ac.be>
Subject: Re: definition of cert - trust in SPKI certs
From: Carl Ellison <cme@cybercash.com>
Date: Mon, 16 Jun 1997 21:12:03 -0400
Cc: spki@c2.net
In-Reply-To: <Pine.ULT.3.95.970522150629.17208C-100000@dante>
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----

At 03:39 PM 5/22/97 +0200, Stef Hoeben wrote:
>
>Hello,
>
>Hope these questions weren't answered before:
>
>1 Many certs in SPKI will be signed by the subject. In X.509,
>"to certify" means your key is signed by some one else; and
>"to sign" means you sign something yourself.
>So all signed messages are certficates in SPKI?

This is a good question, Stef.

The distinction between signed things (message, code, certificate) can be 
blurred under SPKI.  TO me, the difference is that SDSI/SPKI provides a 
machine-readable form with defined fields for that machine to read (plus as 
many user-defined but machine-ignored fields as you want (e.g., comments)).  
SDSI/SPKI defines what to do with those fields -- so there is both syntax 
and semantics.

>2 X.509 talk about a CA hierarchy, in SDSI, there are some
>CA roots. Does SPKI also defines a way to put trust in the
>certficates?

Of course.  That's the whole point -- transfer of trust from a source, 
possibly through intermediaries, to a destination (user, key or document).

>This looks to me the biggest problems of PKI's: how to let
>people trust a cert... 

Almost.  X.509 specified how to trust a cert.  Where they failed was in 
defining *what* one trusts as a result of the cert chain.  People kept 
talking about "trust" as if it were unqualified -- global -- absolute.

>X.509 alone may not be enough for this, they need the help 
>of laws and regulations about CA's. 

I believe that's because they are trying to tie keys to people and have keys 
acquire attributes from flesh and blood people.  I think we bypass that 
rathole -- but we have our own need for laws, perhaps -- in what I called 
"subpoena certificates".  Then again, those might be issued by a profit 
making company formed for the purpose.

>MC (Meta Certificates, http://novaware.cps.softex.br/mcg.htm)
>solves the problem by giving the users multiple authentication
>channels and letting him be responsable for trusting a public 
>key.

I need to read your web page.  I'm offline, trying to catch up on saved but 
unanswered SPKI mail.

>How will SPKI do this? Other ways, the same ones, a mix, ...?

If the coming draft doesn't make it clear, then I need to do yet another 
editing round...but I think it will.

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: 5.0
Charset: noconv

iQCVAwUBM6XkYlQXJENzYr45AQExGgP7BG1uqtpb7Dm7eOJoYNqg1LgsIImzAb3Y
8W7cUCNaTaUpmew9ZABGoz/LvAxy+tg4YT5m/y3/M6FgbhfN7nK+tOpY7yu4eRnN
VNUhF2XsIxlt3Vwawx4cPw7NA27CIJuJdscP9tVsbHfG3BOuVWGMezHlmUYLgDBA
Z5LI5nrsnto=
=UnwZ
-----END PGP SIGNATURE-----

+------------------------------------------------------------------+
|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
+------------------------------------------------------------------+

References:

definition of cert - trust in SPKI certs

From: Stef Hoeben <Stefan.Hoeben@esat.kuleuven.ac.be>

Prev by Date: Re: SPKI getting something done would be nice....
Next by Date: Re: SPKI getting something done would be nice....
Prev by thread: definition of cert - trust in SPKI certs
Next by thread: Re: definition of cert - trust in SPKI certs
Index(es):
- Main
- Thread