[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on SPKI draft of 25 March 1997

At 6:26 AM -0800 3/31/97, John_Reinke@pcmailgw.ml.com wrote:
>You may wish to consider these as two different things.  Lest you think
>this is
>an arbitrary distinction, this is exactly how IBM "fell on its sword" in
>By failing to distinguish between these two rights, IBM forever coded into
>the problem of "cascading revoke".  That is: X as a dbadmin, X grant
>to Y; Y grants to Z; Y leaves the firm; X revokes Y and Z is disabled.

This problem is greater than the question of whether may-delegate is
boolean or integer.  Consider that the verifier has generated a certificate
result certificate (CRC) giving Z direct authority.  Then if a revocation
is generated for Y, it doesn't affect Z.  However, if no CRC has been
generated, the revocation does affect Z.  Since we have been saying that a
CRC is an optimization, and doesn't affect the security model, we have a
problem.  (Note that in this view, when Y loses access Z should as well.
IMHO that is the correct behavior.  If Z is to have first class access, Z
must get it from X, not from Y.  By getting it from Y, Z's access is
dependent on Y.)

My immediate fix is to eliminate delegation.  If an authority holder, Y
wants to delegate the authority, it must engage in a protocol with an
authority grantor, X to generate a new certificate for the new authority
holder, Z.

Note in a traditional capability system, Y would just pass the capability
to Z.  Since capabilities are not tied to their holders, this procedure
works just fine.  In SPKI, we have added cryptographic authentication to
the (certificates==capabilities), which requires a more formal process for
passing them.

One interesting system structure which might arise in autonomous systems is
for Y to generate a separate key pair for each privilege.  Then when Y
wants to delegate a privilege, it is sufficient to share the secret key
corresponding to that privilege.

Bill Frantz       | Back from caving in Borneo.| Periwinkle -- Consulting
(408)356-8506     | Great caves.  We mapped    | 16345 Englewood Ave.
frantz@netcom.com | 25KM on the expedition.    | Los Gatos, CA 95032, USA

Follow-Ups: References: