[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Drastic SPKI simplifications
In exploring how to merge SPKI with the PGP database forms, I new
propose a slightly different 4-tuple than my previous message:
The 5-tuple (I,S,D,A,V) is rearranged to the 4-tuple (S,A,V,I). There
should not be much objection, as this has been rearranged in the past.
The order is rationalized as follows:
- Subject first, for easy recognition with database indexing and
list searching.
- Assertion (not Authority). Here is where much of the complexity
arises. Only a few basic assertions of "identification" or
"authorization" are needed for our target applications, and all
others must be encoded in a fashion that can be easily ignored.
Delegation is an optional trailing field to a particular assertion,
and applies only to that assertion (attribute tag). This allows a
drastic reduction in the number of certificates needed, as a single
certificate can express a list of assertions, without propagating
all of the attributes.
- Validation third. There is no need to continue processing when the
certificate is no longer valid.
- Issuer last, including the signature over the previous elements.
This corresponds neatly to the PGP model, where the (V,I) is contained
in the PGP signature. SPKI provides a strong rationale behind the
current PGP database format, while SDSI allows future expansion.
There will be no problem merging the current field definitions:
- PGP binary structures begin with a leading content byte with the most
significant bit set.
- SDSI textual structures begin with a leading byte with the most
significant bit clear "0123456789(){}".
PGP allows a further storage efficiency by saving the Subject once, and
repeating the AVI, as in (S,A,V,I,...,A,V,I). Of course, for 4-tuple
reduction, each SAVI needs to be considered separately.
It will be practical to combine SPKI with PGP and avoid creating a whole
new database distribution mechanism.
WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2