[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Looking up keys by email address

To: Hal Finney <hal@rain.org>
Subject: Re: Looking up keys by email address
From: Carl Ellison <cme@cybercash.com>
Date: Wed, 26 Feb 1997 17:33:32 -0500
Cc: spki@c2.net
In-Reply-To: <199702262127.NAA25870@crypt.hfinney.com>
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----

At 01:27 PM 2/26/97 -0800, Hal Finney wrote:
>The other thing that I don't fully understand is how to create a cert
>that specifies that I will accept specific auth tags from certain other
>principals.  For example, supposing that we use KNOWN-TO-ME-AS above,
>I want to say that I will accept KNOWN-TO-ME-AS certs issued by key XYZ
>as though they were issued by me.  Do I issue a KNOWN-TO-ME-AS cert of
>my own on XYZ, with a MAY-DELEGATE of 1?  This would be pretty close
>to what I want, but it doesn't seem exactly right, since it forces me
>to make a claim about XYZ's name, when all I really want to do is to
>accept name claims that XYZ makes.

I'm not sure it makes sense to use KNOWN-TO-ME-AS except for human reading. 
That's something that I'm taking out of the next draft anyway.  There's only 
one <auth> I think we care about for names and that's NAME:.

The NAME: <auth> gives a name binding in the namespace of the issuer -- a 
SDSI name.

As for delegating NAME permission, SDSI has answered that.  The answer is 
that you don't delegate permission to assign names.  Rather, you refer to 
some other person's namespace by SDSI's (K1 N1 N2 N3 ... Nk) where K1 is the 
public key of the namespace N1.  [This is a departure from the SDSI 
document, which assumed you knew K1 (the key of the cert issuer).  I added 
K1 to the name sequence here so that I could detach the name from a cert 
(and therefore knowledge of K1) and still have it mean something.]

The general question you started with -- how to show you accept <auth> from 
issuer Iss -- is that you generate <You, Iss, D, <auth>, V> where D is 1 
greater than the max D you want Iss to be able to issue.  For a name cert, 
this gives an interesting effect.  It means that you delegate to some other 
source (your own personal namespace agent?) (your private secretary who 
keeps your address book) the authority to make name bindings for you.  As a 
result, if you are K1 and your secy is K2, then (K1 N) would equal (K2 N).

- - Carl

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCUAwUBMxS27FQXJENzYr45AQH8awP1FE7Qb4sJPHXl4EzMde6JjOBqj9xW0RSo
SstKYgIg907ugRSy4U03dbqtJzS4o1hU+8bpLc6JbzGpeKZYXvMevQG+wL6Kr+Mt
LecWrXmni6RmhfyGcmHElQe76wn3ZqtmIDkazI+KaODsjX6Skq0I45NCB6BUZvIR
XlR3/9/xKg==
=rmV5
-----END PGP SIGNATURE-----

+------------------------------------------------------------------+
|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
+------------------------------------------------------------------+

References:

Looking up keys by email address

From: Hal Finney <hal@rain.org>

Prev by Date: Re: SPKI Requirements Document draft
Next by Date: RE: encoding: SPKI vs. SDSI
Prev by thread: Re: Looking up keys by email address
Next by thread: Re: Looking up keys by email address
Index(es):
- Main
- Thread