[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fault tolerance of SPKI/SDSI

From: Carl Ellison <cme@cybercash.com>
> It occurred to me the other day that SDSI with chained local naming and SPKI 
> with that plus chained local direct authorizations have an advantage over 
> hierarchical schemes.  Certs in our worlds are mesh-like rather than 
> tree-like.  I hestiate comparisons to the PGP web of trust, because PGP's 
> links are votes on some global name binding, but PGP has the same advantage.
> Namely:  these meshes of certificates can be fault tolerant.  A tree can not 
> be.  If you break a link in a tree, a whole branch falls off.  If you break 
> the root, the whole tree falls.  This is because a tree is inherently 
> 1-dimensional.

Yes, that's an interesting point, but it seems like it applies to the SPKI
authorizations more than SDSI.  With SPKI, A could delegate some authority
to both B and C, who could both then pass their authority to D, and you
have redundancy.  As long as one of B or C is still valid and present then
D can use his authorization.

But with SDSI, although you may have "joe's boss" and "jim's bud" being
the same key, it's not clear that you would know that keyholder by both
names.  More commonly I think you would see roles, like "rsa's president",
in which case you would be unlikely to have redundant paths to the key.

PGP adds a fuzzy component, so that for example you may require at least
two paths to a key in order to accept it for some use.  Policymaker-like
extensions would be how you would express this kind of concept in SPKI,
I think.