[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

getting rid of intersection algebra

I think we can remove the *-form intersection algebra quite painlessly.

The problem with *-form intersection algebra is that it's complicated, 
yet doesn't deliver; while I was trying to design cert formats for 
use with SSH remote login protocol I found it hard to express netmasks and
session profiles with it.

We could use DOIs (domains of interpretation) that specify the application 
family to which the auth data is relevant. DOIs could be simple octet
strings  designated by some authority or random numbers with 128 or more
bits of entropy to avoid collisions.

An application can ignore all certs that belong to an incompatible DOI.
We do not need a general "intersection algebra" because a application
can intersect two auths in the same (or compatible) DOI in a way
that is fit for that particular application.

One might have a general SPKI library to which a caller (i.e. an
application) supplies two callback functions:
  1) Check that this auth is in caller's DOI
  2) Intersect the raw auth data
(they are clising the IETF terminal room in 1 min..)

- Markku-Juhani Saarinen <mjos@ssh.fi>