getting rid of intersection algebra

[Markku-Juhani Saarinen <mjos@ssh.fi>]

I think we can remove the *-form intersection algebra quite painlessly.

The problem with *-form intersection algebra is that it's complicated, 
yet doesn't deliver; while I was trying to design cert formats for 
use with SSH remote login protocol I found it hard to express netmasks and
session profiles with it.

We could use DOIs (domains of interpretation) that specify the application 
family to which the auth data is relevant. DOIs could be simple octet
strings  designated by some authority or random numbers with 128 or more
bits of entropy to avoid collisions.

An application can ignore all certs that belong to an incompatible DOI.
We do not need a general "intersection algebra" because a application
can intersect two auths in the same (or compatible) DOI in a way
that is fit for that particular application.

One might have a general SPKI library to which a caller (i.e. an
application) supplies two callback functions:
  1) Check that this auth is in caller's DOI
  2) Intersect the raw auth data
 
(they are clising the IETF terminal room in 1 min..)

- Markku-Juhani Saarinen <mjos@ssh.fi>

---

Follow-Ups:

• global uniqueness of auth fields
• From: Carl Ellison <cme@cybercash.com>

---

• Prev by Date: Re: IETF spki meeting minutes
• Next by Date: global uniqueness of auth fields
• Prev by thread: splitting up the documents
• Next by thread: global uniqueness of auth fields
• Index(es):
  • Main
  • Thread