[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Comments on SPKI draft of 25 March 1997
I think it would be helpful to include a section that describes how
the certificate types of SDSI 1.0 can be handled in the new proposal.
Here is how I think that this can be done. This eliminates the "member-of-
issuer", "member", and "name" auth fields proposed in the SPKI proposal, and
replaces this by allowing the issuer to be a simply-qualified name (i.e.
a key and a single byte-string name).
Name-Value certificate:
Binding a name to a key
Issuer: <key-or-key-hash> name
Subject: <key-or-key-hash>
Binding a name to another name
Issuer: <key-or-key-hash> name
Subject: <fully-qualified-name>
Membership certificate:
Issuer: <key-or-key-hash> group-name
Subject: <key-or-key-hash> or <fully-qualified-name>
Group definition:
This is gone, as the SPKI proposal only covers groups defined by
OR, which is the main case.
But I think it would be good to have MULTIPLE SUBJECTS allowed in
a certificate, with the understanding that the delegation applies
to each of them as if there were one certificate for each subject.
Auto-Cert:
Having a way to handle this sort of information seems to be
missing from the SPKI proposal, and I think it should be added.
Delegation Certs:
These are the standard SPKI certs.
ACL's:
These are not explicitly described in the SPKI proposal, and
should be.
Ron Rivest
Follow-Ups: