[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on SPKI draft of 25 March 1997

To: John_Reinke@pcmailgw.ml.com, spki@c2.net, rivest@theory.lcs.mit.edu (Ron Rivest)
Subject: Re: Comments on SPKI draft of 25 March 1997
From: Bill Frantz <frantz@netcom.com>
Date: Mon, 31 Mar 1997 19:12:39 -0800
Cc: blampson@microsoft.com
In-Reply-To: <00004B32.@pcmailgw.ml.com>
Sender: owner-spki@c2.net

At 6:26 AM -0800 3/31/97, John_Reinke@pcmailgw.ml.com wrote:
>You may wish to consider these as two different things.  Lest you think
>this is
>an arbitrary distinction, this is exactly how IBM "fell on its sword" in
>DB2.
>By failing to distinguish between these two rights, IBM forever coded into
>DB2
>the problem of "cascading revoke".  That is: X as a dbadmin, X grant
>authority
>to Y; Y grants to Z; Y leaves the firm; X revokes Y and Z is disabled.

This problem is greater than the question of whether may-delegate is
boolean or integer.  Consider that the verifier has generated a certificate
result certificate (CRC) giving Z direct authority.  Then if a revocation
is generated for Y, it doesn't affect Z.  However, if no CRC has been
generated, the revocation does affect Z.  Since we have been saying that a
CRC is an optimization, and doesn't affect the security model, we have a
problem.  (Note that in this view, when Y loses access Z should as well.
IMHO that is the correct behavior.  If Z is to have first class access, Z
must get it from X, not from Y.  By getting it from Y, Z's access is
dependent on Y.)

My immediate fix is to eliminate delegation.  If an authority holder, Y
wants to delegate the authority, it must engage in a protocol with an
authority grantor, X to generate a new certificate for the new authority
holder, Z.

Note in a traditional capability system, Y would just pass the capability
to Z.  Since capabilities are not tied to their holders, this procedure
works just fine.  In SPKI, we have added cryptographic authentication to
the (certificates==capabilities), which requires a more formal process for
passing them.

One interesting system structure which might arise in autonomous systems is
for Y to generate a separate key pair for each privilege.  Then when Y
wants to delegate a privilege, it is sufficient to share the secret key
corresponding to that privilege.

-------------------------------------------------------------------------
Bill Frantz       | Back from caving in Borneo.| Periwinkle -- Consulting
(408)356-8506     | Great caves.  We mapped    | 16345 Englewood Ave.
frantz@netcom.com | 25KM on the expedition.    | Los Gatos, CA 95032, USA

Follow-Ups:

Re: Comments on SPKI draft of 25 March 1997

From: Carl Ellison <cme@cybercash.com>

References:

Re: Comments on SPKI draft of 25 March 1997

From: John_Reinke@pcmailgw.ml.com

Prev by Date: Comments on the 25 March 1997 draft
Next by Date: Re: meanings of fields (was: Re: My two pennies)
Prev by thread: Delegation (was: Re: Comments on SPKI draft of 25 March 1997)
Next by thread: Re: Comments on SPKI draft of 25 March 1997
Index(es):
- Main
- Thread