[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Persistent identities (was: Re: yet another <auth> type)

To: spki@c2.net
Subject: Persistent identities (was: Re: yet another <auth> type)
From: Marc Branchaud <marcnarc@zoo.net>
Date: Mon, 24 Feb 1997 13:28:07 -0500 (EST)
In-Reply-To: <199702241727.MAA19145@argon.ncsc.mil>
Reply-To: Marc Branchaud <marcnarc@zoo.net>
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----

David Kemp's points (below) about persistent identities hits the nail
right on the head for me.  The PKI proposals that I've seen either don't
provide for a persistent identity (SPKI/SDSI), which makes key management
a real headache, or the persistent identity is too cumbersome and/or
dynamic (such as with X.500 DNs).

IMO for a PKI to be practical it should provide:

(a) Minimal person <-> key links (i.e. persistent identities) that won't
change every time the person gets a new job title or a haircut.  The PKI
should have mechanisms for handling key revocations and updates, such that
the (online) identity remains unchanged as much as possible across key
lifetimes.

(b) A simple way of attaching attributes of any kind to the persistent
identity.  I'd say SDSI does a fine job of this.  Note I said that the
attributes are attached to the identity and not, as in SDSI, to the key,
but I think SDSI can be easily tweaked to work with identities rather than
keys.

I've yet to see any concrete proposals for (a), though I've got some
half-formed ideas of my own.  I suspect that finding something that works
and is socailly acceptable to most people will prove difficult.

		Marc

==============================	------ I'M LOOKING FOR A JOB! -----
        Marc Branchaud        	I'm looking for a full-time career,
       marcnarc@zoo.net       	and I'm willing to move almost any-
    www.zoo.net/~marcnarc/    	where.  You can see my CV online at
==============================	www.zoo.net/~marcnarc/Marc-CV.htm

On Mon, 24 Feb 1997, David P. Kemp wrote:
> 
> The premise of SPKI is that persistent identities are an unnecessary
> middle step between the public key and the "stuff" (names, email
> addresses, priviledges, etc) to be attached to that key.  Therefore
> persistent identities have been eliminated as a concept from SPKI.
> 
> But the assumption that the public key *IS* the identity is fundamentally
> at odds with good key hygene, which dictates that keys be replaced
> periodically "just because", or sooner than the normal period if required
> by individual key compromise, in response to unexpected advances in
> cryptography, or for other reasons.
> 
> A persistent identity does not have to be in the form of an X.509
> Distinguished Name, nor does it have to be globally unique or meaningful,
> nor does it need to have any semantic meaning at all (it could be a random
> number, or the hash of something, for example), but it does need to
> be persistent.  It allows one to accommodate key updates without
> requiring contortions like issuing certificates to map certificates to
> other certificates!
> 
> Better start scratching off that "S" thing from SPKI :-).
> 
>       dpk
> 
> 
> 
> "Every problem can be solved with another level of indirection."
>    -- ???
> 

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBMxHduFrdFXNdDxPlAQGz2QL+OpC4tw+T3MhDVe57xfQ/EJAqoa2W+3tH
HlteXhz/TdkiylVoWcUuxUsXwddFzNimIGDhXW1ymj/rBWgnjeEgCfu+4opR8Lbb
a+24xo81d8uPTA28hqrR9XJc6cWb2qcx
=zjBW
-----END PGP SIGNATURE-----

References:

Re: yet another <auth> type

From: dpkemp@missi.ncsc.mil (David P. Kemp)

Prev by Date: Re: yet another <auth> type
Next by Date: Re: yet another <auth> type
Prev by thread: Re: yet another <auth> type
Next by thread: Re: Persistent identities (was: Re: yet another <auth> type)
Index(es):
- Main
- Thread