[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: yet another <auth> type

On Feb 02, 1997 at 06:41:14AM -0500, Carl Ellison wrote:

> It makes sense to issue an SPKI cert for the statement:
> "The subject keyholder (K1) is the same person as the keyholder of (K2), on 
> <date>."
> This allows someone to start a service by which someone can map old keys to 
> new ones.

I find this problematic, because it'll bring about is-a-person sorts of

And it doesn't really address the problem it could resolve if it was an
is-a-person claim, that being a sensible means of key revocation that doesn't
require the ability to use the key you're revoking, and to prevent other
people from revoking it.

All the statement *really* means is:
One person or machine who has the ability to use key K1 can also use K2.

It does *not* mean:
The only person who has the ability to use K1 can also use K2
One person who has the ability to use K1 is the only person to use K2
The only entity which can use K1 is the only entity to use K2
Anyone with access to K1 can use K2

And, of course, what the statement really means is sorta useless, I think.

And at any rate, it should really say what it is.

Jon Lasser (410)433-7495                    jlasser@rwd.goucher.edu
http://www.goucher.edu/~jlasser/            PGP key = 1024/EC001E4D
      "Flap your ears, Dumbo!  The feather was only a trick!"

Follow-Ups: References: