Comments on SPKI draft of 25 March 1997

[rivest@theory.lcs.mit.edu (Ron Rivest)]

I think it would be helpful to include a section that describes how
the certificate types of SDSI 1.0 can be handled in the new proposal.

Here is how I think that this can be done.  This eliminates the "member-of-
issuer", "member", and "name" auth fields proposed in the SPKI proposal, and
replaces this by allowing the issuer to be a simply-qualified name (i.e.
a key and a single byte-string name).

Name-Value certificate:
    Binding a name to a key
	Issuer: <key-or-key-hash> name
	Subject: <key-or-key-hash> 
    Binding a name to another name
	Issuer: <key-or-key-hash> name
	Subject: <fully-qualified-name>

Membership certificate:
   	Issuer: <key-or-key-hash> group-name
	Subject: <key-or-key-hash> or <fully-qualified-name>

Group definition:
	This is gone, as the SPKI proposal only covers groups defined by
        OR, which is the main case.  

	But I think it would be good to have MULTIPLE SUBJECTS allowed in
        a certificate, with the understanding that the delegation applies
	to each of them as if there were one certificate for each subject.

Auto-Cert:
	Having a way to handle this sort of information seems to be
        missing from the SPKI proposal, and I think it should be added.
        
Delegation Certs:
	These are the standard SPKI certs.

ACL's:
	These are not explicitly described in the SPKI proposal, and
        should be.

Ron Rivest

---

Follow-Ups:

• Re: Comments on SPKI draft of 25 March 1997
• From: Carl Ellison <cme@cybercash.com>

---

• Prev by Date: Comments on SPKI draft of 25 March 1997
• Next by Date: New Issue: <issuer> definition
• Prev by thread: Comments on SPKI draft of 25 March 1997
• Next by thread: Re: Comments on SPKI draft of 25 March 1997
• Index(es):
  • Main
  • Thread