[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate Expiration


At 11:27 PM 5/19/98 +0100, Frank O'Dwyer wrote:
>At 15:02 08/05/98 -0400, Carl Ellison wrote:
>>There are many certificates in use today not so much for security as for a 
>>kind of seat license.  For such a use, the freeze at expiration is totally 
>>Of course, I don't like or want to encourage such a use of certificates.
>I'm puzzled by this remark. Isn't a time-limited authorisation
>just another SPKI application?  Giving someone a permission
>to access some web site for a month doesn't seem so 

You're right.  SPKI can easily handle seat licenses and that's one of many 
proper uses for a certificate.  What I object to is the creation of a 
certificate that gets hyped as having a security value when in fact all it 
is is a seat license -- something not advertized, because the cert issuer 
has no right to issue seat licenses.

>One could also imagine handing out a "telnet permission" to 
>temporarily permit a sysadmin to log in from home in order
>to sort some problem.

Of course.

>(On a related note - I think a useful form of the 'online'
>validity test would be a variation on the 'one-time' test
>which simply computed some external function of the 
>current time. This way you could easily express acls which 
>allowed access only mon-fri during business hours, for 
>example.  This would differ from the current 'one-time' 
>test only in that the test would be done by local code,
>and so wouldn't be much of a change.)


 - Carl

Version: PGP for Personal Privacy 5.5.3


|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |