[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: yet another <auth> type

> > It makes sense to issue an SPKI cert for the statement:
> > 
> > "The subject keyholder (K1) is the same person as the keyholder of (K2), on 
> > <date>."
> > 
> > This allows someone to start a service by which someone can map old keys to 
> > new ones.
> I find this problematic, because it'll bring about is-a-person sorts of
> claims...

> And it doesn't really address the problem it could resolve if it was an
> is-a-person claim, that being a sensible means of key revocation that doesn't
> require the ability to use the key you're revoking, and to prevent other
> people from revoking it.
> All the statement *really* means is:
> One person or machine who has the ability to use key K1 can also use K2.
> It does *not* mean:
> The only person who has the ability to use K1 can also use K2
> One person who has the ability to use K1 is the only person to use K2
> The only entity which can use K1 is the only entity to use K2
> Anyone with access to K1 can use K2

Perhaps I misunderstood Carl's meaning, but it sounded like the intent was
to say that K1's key was to be given all privileges previously accorded to
K2 by the authority of this issuer.  It says nothing about the nature of
those privileges or of the keyholder.  Obviously, the most useful application
would be in cases of lost personal keys, but the certificate neither makes
nor supports any claim of that nature.


Brian Thomas, CISSP - Distributed Systems Architect  bt0008@entropy.sbc.com
Southwestern Bell                                    bthomas@primary.net
One Bell Center,  Room 34G3                          Tel: 314 235 3141
St. Louis, MO 63101                                  Fax: 314 235 0162