[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on SPKI draft of 25 March 1997
At 07:12 PM 3/31/97 -0800, Bill Frantz wrote:
>This problem is greater than the question of whether may-delegate is
>boolean or integer. Consider that the verifier has generated a certificate
>result certificate (CRC) giving Z direct authority. Then if a revocation
>is generated for Y, it doesn't affect Z. However, if no CRC has been
>generated, the revocation does affect Z. Since we have been saying that a
>CRC is an optimization, and doesn't affect the security model, we have a
>problem. (Note that in this view, when Y loses access Z should as well.
>IMHO that is the correct behavior. If Z is to have first class access, Z
>must get it from X, not from Y. By getting it from Y, Z's access is
>dependent on Y.)
Bill,
the reason the CRC is as good as the chain it was reduced from is that its
validity field is the intersection of those of the whole chain (intersection
of date ranges and union of on-line tests). (This implies, BTW, that we must
permit <online-test>*, not just <online-test>?).
When you let a single cert out into the world with a lifetime until date D,
you're free to revoke it before D, but not to expect that others will see your
revocation before D. If that makes you uncomfortable, you need to reign in D.
This leaves the cert in an undetermined state for a while.
The effect above has nothing to do with delegation. When I take in any
single cert and validate it, I enter its result in an on-line cache and am free
to keep that cache entry (without doing any updates) until it expires.
If you are *really* uncomfortable with letting a cert live even a second
after you might decide it's invalid, then you need to do on-line tests of
validity which are valid for only one challenge/response cycle. That's the
closest you get to a 0-lifetime cert. However, because messages take a
finite amount of time to be delivered, it's still possible for you to give
the "it's valid" response and have that be in transit while the "it's not
valid" message arrives at your server.
This isn't some perversity on my part. It's a side effect of the speed of
light and the fact that there is no absolute time coordinate.
- Carl
+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+
Follow-Ups:
References: