[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: yet another <auth> type

To: Moltar Ramone <jlasser@goucher.edu>
Subject: Re: yet another <auth> type
From: "Michael Froomkin - U.Miami School of Law" <froomkin@law.miami.edu>
Date: Fri, 21 Feb 1997 10:50:20 -0500 (EST)
Cc: Carl Ellison <cme@cybercash.com>, spki@c2.net
In-Reply-To: <19970221092016.60007@rwd.goucher.edu>
Sender: owner-spki@c2.net

I'm confused.  

If K1 was revoked for being insecure, what evidence other than the full
evidence used to generate K1 in the first place suffice to issue a
similar-assurance K2? 

If the answer is "you need it all" then the new field is of no value; K2
is a K2 is a K2.

If the answer is "less" then K2 is not a real K2 since it relies in part
on the now-insecure K1.

Of course, if K1 has not been compromised, and K2 is just replacing it due
to age, K1 issues a cert of it's own recognizing K2 (and vice-versa?)?  Is
this the problem this is designed to solve?

On Fri, 21 Feb 1997, Moltar Ramone wrote:

> On Feb 02, 1997 at 06:41:14AM -0500, Carl Ellison wrote:
> 
> > It makes sense to issue an SPKI cert for the statement:
> > 
> > "The subject keyholder (K1) is the same person as the keyholder of (K2), on 
> > <date>."
> > 
> > This allows someone to start a service by which someone can map old keys to 
> > new ones.
> 
> I find this problematic, because it'll bring about is-a-person sorts of
> claims...
> 
> And it doesn't really address the problem it could resolve if it was an
> is-a-person claim, that being a sensible means of key revocation that doesn't
> require the ability to use the key you're revoking, and to prevent other
> people from revoking it.
> 
> All the statement *really* means is:
> One person or machine who has the ability to use key K1 can also use K2.
> 
> It does *not* mean:
> The only person who has the ability to use K1 can also use K2
> One person who has the ability to use K1 is the only person to use K2
> The only entity which can use K1 is the only entity to use K2
> Anyone with access to K1 can use K2
> 
> And, of course, what the statement really means is sorta useless, I think.
> 
> And at any rate, it should really say what it is.
> 
> Jon
> -- 
> Jon Lasser (410)433-7495                    jlasser@rwd.goucher.edu
> http://www.goucher.edu/~jlasser/            PGP key = 1024/EC001E4D
>       "Flap your ears, Dumbo!  The feather was only a trick!"
> 

==
The above may have been dictated via Dragon Dictate 2.52 voice
recognition. Please be alert for unintentional word substitutions. 

A. Michael Froomkin        | +1 (305) 284-4285; +1 (305) 284-6506 (fax)
Associate Professor of Law |
U. Miami School of Law     | froomkin@law.miami.edu
P.O. Box 248087            | http://www.law.miami.edu/~froomkin
Coral Gables, FL 33124 USA | It's warm here.

References:

Re: yet another <auth> type

From: Moltar Ramone <jlasser@goucher.edu>

Prev by Date: Re: yet another <auth> type
Next by Date: Re: yet another <auth> type
Prev by thread: Re: yet another <auth> type
Next by thread: Re: yet another <auth> type
Index(es):
- Main
- Thread