[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: yet another <auth> type



-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 21 Feb 1997, Carl Ellison wrote:
> 
> It makes sense to issue an SPKI cert for the statement:
> 
> "The subject keyholder (K1) is the same person as the keyholder of (K2), on 
> <date>."
> 
> This allows someone to start a service by which someone can map old keys to 
> new ones.
> 
> Thoughts?
> 
>  - Carl
> 

I think it's a good idea.

My interpretation of this is similar to Brian's -- that K1 and K2 have
the same privileges.  I'd even take that a bit further.  Suppose you have
a set of certs.  You would accept them if they were signed by K1, however
they were signed by K2.  Another cert stating the above would let you
accept the certs.

What, however, is the meaning of <date>?  Is it the date when the
statement was made?  Or is it the date when your set of certs was signed?
To maximize utility, the statement should use a range of dates, saying
something like:

"The subject keyholder (K1) is the same person as the keyholder of (K2),
which was valid from <date1> to <date2>."

That way, for any set of certs signed by K2 between <date1> and <date2>, I
can consider them to have been signed by the keyholder of K1.

		Marc

==============================	------ I'M LOOKING FOR A JOB! -----
        Marc Branchaud        	I'm looking for a full-time career,
       marcnarc@zoo.net       	and I'm willing to move almost any-
    www.zoo.net/~marcnarc/    	where.  You can see my CV online at
==============================	www.zoo.net/~marcnarc/Marc-CV.htm

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBMw3HeVrdFXNdDxPlAQEMIQL8DPoMdp5sVHJpTN7ArlYe4WRDPbPKimzj
RfjIiJUeL+0c6trpbmCEqUQ5n0aoujpG8wBNCCgugMkqOGMRhJYTHeNJRqewnyhy
RSPRx17GKJ61LdCNUFIZxjHBQxbep5oM
=afBV
-----END PGP SIGNATURE-----


References: