[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: definition of cert - trust in SPKI certs


At 03:39 PM 5/22/97 +0200, Stef Hoeben wrote:
>Hope these questions weren't answered before:
>1 Many certs in SPKI will be signed by the subject. In X.509,
>"to certify" means your key is signed by some one else; and
>"to sign" means you sign something yourself.
>So all signed messages are certficates in SPKI?

This is a good question, Stef.

The distinction between signed things (message, code, certificate) can be 
blurred under SPKI.  TO me, the difference is that SDSI/SPKI provides a 
machine-readable form with defined fields for that machine to read (plus as 
many user-defined but machine-ignored fields as you want (e.g., comments)).  
SDSI/SPKI defines what to do with those fields -- so there is both syntax 
and semantics.

>2 X.509 talk about a CA hierarchy, in SDSI, there are some
>CA roots. Does SPKI also defines a way to put trust in the

Of course.  That's the whole point -- transfer of trust from a source, 
possibly through intermediaries, to a destination (user, key or document).

>This looks to me the biggest problems of PKI's: how to let
>people trust a cert... 

Almost.  X.509 specified how to trust a cert.  Where they failed was in 
defining *what* one trusts as a result of the cert chain.  People kept 
talking about "trust" as if it were unqualified -- global -- absolute.

>X.509 alone may not be enough for this, they need the help 
>of laws and regulations about CA's. 

I believe that's because they are trying to tie keys to people and have keys 
acquire attributes from flesh and blood people.  I think we bypass that 
rathole -- but we have our own need for laws, perhaps -- in what I called 
"subpoena certificates".  Then again, those might be issued by a profit 
making company formed for the purpose.

>MC (Meta Certificates, http://novaware.cps.softex.br/mcg.htm)
>solves the problem by giving the users multiple authentication
>channels and letting him be responsable for trusting a public 

I need to read your web page.  I'm offline, trying to catch up on saved but 
unanswered SPKI mail.

>How will SPKI do this? Other ways, the same ones, a mix, ...?

If the coming draft doesn't make it clear, then I need to do yet another 
editing round...but I think it will.

 - Carl

Version: 5.0
Charset: noconv


|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |