[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SPKI signing keys only
> From: Carl Ellison <cme@cybercash.com>
> At 04:21 PM 6/15/97 +1000, Bob Smart wrote:
> >Either way it seems that public key infrastructure should only
> >cover signing keys. Mixing in other sorts of keys into that infrastructure
> >is unnecessary and confusing. Or maybe I'm missing something?
>
> I concur completely as do the other authors of the SPKI draft, I believe.
>
Thank you. Now we need to make this more clear in the SPKI draft.
I don't really like the term "signing keys", though. Signing is an
activity.
I usually explain it as:
Identification key: a long-term key that is associated with a
particular role, person, machine, or process (usually a
public/private key pair).
Communication key: a short-term key used for a message (usually an
"ephemeral" symmetric secret key).
Signing is the _act_ of creating a Signature using Identification
keys. I rarely mention that this often involves public key
encryption to create the signature. Folks just don't understand
that this signature encryption is a fundamentally different usage
than message stream encryption.
A Certificate is a list of Signatures.
Authentication is the _act_ of verifying the certificate.
Authorization is the _act_ of verifying that a particular
certificate has "permission" to act based on a "policy".
Does this make sense to the rest of you? Could we expand the
SPKI terminology section? Could we clarify the purpose of SPKI?
WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2
Follow-Ups: