[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Looking up keys by email address


At 01:27 PM 2/26/97 -0800, Hal Finney wrote:
>The other thing that I don't fully understand is how to create a cert
>that specifies that I will accept specific auth tags from certain other
>principals.  For example, supposing that we use KNOWN-TO-ME-AS above,
>I want to say that I will accept KNOWN-TO-ME-AS certs issued by key XYZ
>as though they were issued by me.  Do I issue a KNOWN-TO-ME-AS cert of
>my own on XYZ, with a MAY-DELEGATE of 1?  This would be pretty close
>to what I want, but it doesn't seem exactly right, since it forces me
>to make a claim about XYZ's name, when all I really want to do is to
>accept name claims that XYZ makes.

I'm not sure it makes sense to use KNOWN-TO-ME-AS except for human reading. 
That's something that I'm taking out of the next draft anyway.  There's only 
one <auth> I think we care about for names and that's NAME:.

The NAME: <auth> gives a name binding in the namespace of the issuer -- a 
SDSI name.

As for delegating NAME permission, SDSI has answered that.  The answer is 
that you don't delegate permission to assign names.  Rather, you refer to 
some other person's namespace by SDSI's (K1 N1 N2 N3 ... Nk) where K1 is the 
public key of the namespace N1.  [This is a departure from the SDSI 
document, which assumed you knew K1 (the key of the cert issuer).  I added 
K1 to the name sequence here so that I could detach the name from a cert 
(and therefore knowledge of K1) and still have it mean something.]

The general question you started with -- how to show you accept <auth> from 
issuer Iss -- is that you generate <You, Iss, D, <auth>, V> where D is 1 
greater than the max D you want Iss to be able to issue.  For a name cert, 
this gives an interesting effect.  It means that you delegate to some other 
source (your own personal namespace agent?) (your private secretary who 
keeps your address book) the authority to make name bindings for you.  As a 
result, if you are K1 and your secy is K2, then (K1 N) would equal (K2 N).

- - Carl

Version: 2.6.2


|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |