[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Drastic SPKI simplifications

In exploring how to merge SPKI with the PGP database forms, I new
propose a slightly different 4-tuple than my previous message:

The 5-tuple (I,S,D,A,V) is rearranged to the 4-tuple (S,A,V,I).  There
should not be much objection, as this has been rearranged in the past.
The order is rationalized as follows:

 - Subject first, for easy recognition with database indexing and
   list searching.

 - Assertion (not Authority).  Here is where much of the complexity
   arises.  Only a few basic assertions of "identification" or
   "authorization" are needed for our target applications, and all
   others must be encoded in a fashion that can be easily ignored.

   Delegation is an optional trailing field to a particular assertion,
   and applies only to that assertion (attribute tag).  This allows a
   drastic reduction in the number of certificates needed, as a single
   certificate can express a list of assertions, without propagating
   all of the attributes.

 - Validation third.  There is no need to continue processing when the
   certificate is no longer valid.

 - Issuer last, including the signature over the previous elements.

This corresponds neatly to the PGP model, where the (V,I) is contained
in the PGP signature.  SPKI provides a strong rationale behind the
current PGP database format, while SDSI allows future expansion.

There will be no problem merging the current field definitions:

 - PGP binary structures begin with a leading content byte with the most
   significant bit set.

 - SDSI textual structures begin with a leading byte with the most
   significant bit clear "0123456789(){}".

PGP allows a further storage efficiency by saving the Subject once, and
repeating the AVI, as in (S,A,V,I,...,A,V,I).  Of course, for 4-tuple
reduction, each SAVI needs to be considered separately.

It will be practical to combine SPKI with PGP and avoid creating a whole
new database distribution mechanism.

    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
    Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2