[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Comments on SPKI draft of 25 March 1997

I think it would be helpful to include a section that describes how
the certificate types of SDSI 1.0 can be handled in the new proposal.

Here is how I think that this can be done.  This eliminates the "member-of-
issuer", "member", and "name" auth fields proposed in the SPKI proposal, and
replaces this by allowing the issuer to be a simply-qualified name (i.e.
a key and a single byte-string name).

Name-Value certificate:
    Binding a name to a key
	Issuer: <key-or-key-hash> name
	Subject: <key-or-key-hash> 
    Binding a name to another name
	Issuer: <key-or-key-hash> name
	Subject: <fully-qualified-name>

Membership certificate:
   	Issuer: <key-or-key-hash> group-name
	Subject: <key-or-key-hash> or <fully-qualified-name>

Group definition:
	This is gone, as the SPKI proposal only covers groups defined by
        OR, which is the main case.  

	But I think it would be good to have MULTIPLE SUBJECTS allowed in
        a certificate, with the understanding that the delegation applies
	to each of them as if there were one certificate for each subject.

	Having a way to handle this sort of information seems to be
        missing from the SPKI proposal, and I think it should be added.
Delegation Certs:
	These are the standard SPKI certs.

	These are not explicitly described in the SPKI proposal, and
        should be.

Ron Rivest