[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: definition of cert - trust in SPKI certs
-----BEGIN PGP SIGNED MESSAGE-----
At 03:39 PM 5/22/97 +0200, Stef Hoeben wrote:
>
>Hello,
>
>Hope these questions weren't answered before:
>
>1 Many certs in SPKI will be signed by the subject. In X.509,
>"to certify" means your key is signed by some one else; and
>"to sign" means you sign something yourself.
>So all signed messages are certficates in SPKI?
This is a good question, Stef.
The distinction between signed things (message, code, certificate) can be
blurred under SPKI. TO me, the difference is that SDSI/SPKI provides a
machine-readable form with defined fields for that machine to read (plus as
many user-defined but machine-ignored fields as you want (e.g., comments)).
SDSI/SPKI defines what to do with those fields -- so there is both syntax
and semantics.
>2 X.509 talk about a CA hierarchy, in SDSI, there are some
>CA roots. Does SPKI also defines a way to put trust in the
>certficates?
Of course. That's the whole point -- transfer of trust from a source,
possibly through intermediaries, to a destination (user, key or document).
>This looks to me the biggest problems of PKI's: how to let
>people trust a cert...
Almost. X.509 specified how to trust a cert. Where they failed was in
defining *what* one trusts as a result of the cert chain. People kept
talking about "trust" as if it were unqualified -- global -- absolute.
>X.509 alone may not be enough for this, they need the help
>of laws and regulations about CA's.
I believe that's because they are trying to tie keys to people and have keys
acquire attributes from flesh and blood people. I think we bypass that
rathole -- but we have our own need for laws, perhaps -- in what I called
"subpoena certificates". Then again, those might be issued by a profit
making company formed for the purpose.
>MC (Meta Certificates, http://novaware.cps.softex.br/mcg.htm)
>solves the problem by giving the users multiple authentication
>channels and letting him be responsable for trusting a public
>key.
I need to read your web page. I'm offline, trying to catch up on saved but
unanswered SPKI mail.
>How will SPKI do this? Other ways, the same ones, a mix, ...?
If the coming draft doesn't make it clear, then I need to do yet another
editing round...but I think it will.
- Carl
-----BEGIN PGP SIGNATURE-----
Version: 5.0
Charset: noconv
iQCVAwUBM6XkYlQXJENzYr45AQExGgP7BG1uqtpb7Dm7eOJoYNqg1LgsIImzAb3Y
8W7cUCNaTaUpmew9ZABGoz/LvAxy+tg4YT5m/y3/M6FgbhfN7nK+tOpY7yu4eRnN
VNUhF2XsIxlt3Vwawx4cPw7NA27CIJuJdscP9tVsbHfG3BOuVWGMezHlmUYLgDBA
Z5LI5nrsnto=
=UnwZ
-----END PGP SIGNATURE-----
+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+
References: