[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Looking up keys by email address

I don't fully understand how SPKI would model the fairly common problem
of finding a key suitable for encrypting a message to a given email
address, domain name, or URL.  I would have thought to see something in
section 5.7.1, "Authority flow from Name to Key", to allow a third party
to certify a binding between an email address and a key.  The closest I
see is in 5.7.3, "PGP-like Reference", the KNOWN-TO-ME-AS tag.  It allows
binding a <name>, which could presumably be an email address or URL as
alternatives to a family name.  Is this what would be expected to be
used for these purposes?

I am perhaps being misled by the presence of the MAILTO tag described
in 5.7.5, "Informational Self-binding".  This is explicitly called out
as providing an email address, but it is part of a self certificate and
not something which a third party would use, apparently.  Presumably if I
want to send mail to foo@bar.com I can't simply encrypt it to every key
in my database which has self-generated a MAILTO tag with this address.
So I gather that this tag is for some other use.

Would it make sense to create some new auth fields within section 5.7.1
which would be specific for the common cases described above?

The other thing that I don't fully understand is how to create a cert
that specifies that I will accept specific auth tags from certain other
principals.  For example, supposing that we use KNOWN-TO-ME-AS above,
I want to say that I will accept KNOWN-TO-ME-AS certs issued by key XYZ
as though they were issued by me.  Do I issue a KNOWN-TO-ME-AS cert of
my own on XYZ, with a MAY-DELEGATE of 1?  This would be pretty close
to what I want, but it doesn't seem exactly right, since it forces me
to make a claim about XYZ's name, when all I really want to do is to
accept name claims that XYZ makes.


Hal Finney