[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on SPKI draft of 25 March 1997
At 6:26 AM -0800 3/31/97, John_Reinke@pcmailgw.ml.com wrote:
>You may wish to consider these as two different things. Lest you think
>an arbitrary distinction, this is exactly how IBM "fell on its sword" in
>By failing to distinguish between these two rights, IBM forever coded into
>the problem of "cascading revoke". That is: X as a dbadmin, X grant
>to Y; Y grants to Z; Y leaves the firm; X revokes Y and Z is disabled.
This problem is greater than the question of whether may-delegate is
boolean or integer. Consider that the verifier has generated a certificate
result certificate (CRC) giving Z direct authority. Then if a revocation
is generated for Y, it doesn't affect Z. However, if no CRC has been
generated, the revocation does affect Z. Since we have been saying that a
CRC is an optimization, and doesn't affect the security model, we have a
problem. (Note that in this view, when Y loses access Z should as well.
IMHO that is the correct behavior. If Z is to have first class access, Z
must get it from X, not from Y. By getting it from Y, Z's access is
dependent on Y.)
My immediate fix is to eliminate delegation. If an authority holder, Y
wants to delegate the authority, it must engage in a protocol with an
authority grantor, X to generate a new certificate for the new authority
Note in a traditional capability system, Y would just pass the capability
to Z. Since capabilities are not tied to their holders, this procedure
works just fine. In SPKI, we have added cryptographic authentication to
the (certificates==capabilities), which requires a more formal process for
One interesting system structure which might arise in autonomous systems is
for Y to generate a separate key pair for each privilege. Then when Y
wants to delegate a privilege, it is sufficient to share the secret key
corresponding to that privilege.
Bill Frantz | Back from caving in Borneo.| Periwinkle -- Consulting
(408)356-8506 | Great caves. We mapped | 16345 Englewood Ave.
email@example.com | 25KM on the expedition. | Los Gatos, CA 95032, USA