[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SPKI signing keys only

> From: Carl Ellison <cme@cybercash.com>
> At 04:21 PM 6/15/97 +1000, Bob Smart wrote:
> >Either way it seems that public key infrastructure should only
> >cover signing keys. Mixing in other sorts of keys into that infrastructure
> >is unnecessary and confusing. Or maybe I'm missing something?
> I concur completely as do the other authors of the SPKI draft, I believe.
Thank you.  Now we need to make this more clear in the SPKI draft.

I don't really like the term "signing keys", though.  Signing is an

I usually explain it as:

    Identification key: a long-term key that is associated with a
    particular role, person, machine, or process (usually a
    public/private key pair).

    Communication key: a short-term key used for a message (usually an
    "ephemeral" symmetric secret key).

    Signing is the _act_ of creating a Signature using Identification
    keys.  I rarely mention that this often involves public key
    encryption to create the signature.  Folks just don't understand
    that this signature encryption is a fundamentally different usage
    than message stream encryption.

    A Certificate is a list of Signatures.

    Authentication is the _act_ of verifying the certificate.

    Authorization is the _act_ of verifying that a particular
    certificate has "permission" to act based on a "policy".

Does this make sense to the rest of you?  Could we expand the
SPKI terminology section?  Could we clarify the purpose of SPKI?

    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
    Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2