[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate Expiration

To: "Frank O'Dwyer" <fod@brd.ie>
Subject: Re: Certificate Expiration
From: Carl Ellison <cme@cybercash.com>
Date: Wed, 20 May 1998 01:50:35 -0400
Cc: Carl Ellison <cme@cybercash.com>, Bill Frantz <frantz@netcom.com>, spki@c2.net
In-Reply-To: <3.0.5.32.19980519232705.007e58f0@pop.officelink.eunet.ie>
References: <3.0.3.32.19980508150254.00b3a410@cybercash.com><v03110704b178f87e3e36@[207.94.249.173]>

-----BEGIN PGP SIGNED MESSAGE-----

At 11:27 PM 5/19/98 +0100, Frank O'Dwyer wrote:
>At 15:02 08/05/98 -0400, Carl Ellison wrote:
>>There are many certificates in use today not so much for security as for a 
>>kind of seat license.  For such a use, the freeze at expiration is totally 
>>appropriate.
>>
>>Of course, I don't like or want to encourage such a use of certificates.
>
>I'm puzzled by this remark. Isn't a time-limited authorisation
>just another SPKI application?  Giving someone a permission
>to access some web site for a month doesn't seem so 
>extraordinary.

You're right.  SPKI can easily handle seat licenses and that's one of many 
proper uses for a certificate.  What I object to is the creation of a 
certificate that gets hyped as having a security value when in fact all it 
is is a seat license -- something not advertized, because the cert issuer 
has no right to issue seat licenses.

>One could also imagine handing out a "telnet permission" to 
>temporarily permit a sysadmin to log in from home in order
>to sort some problem.

Of course.

>(On a related note - I think a useful form of the 'online'
>validity test would be a variation on the 'one-time' test
>which simply computed some external function of the 
>current time. This way you could easily express acls which 
>allowed access only mon-fri during business hours, for 
>example.  This would differ from the current 'one-time' 
>test only in that the test would be done by local code,
>and so wouldn't be much of a change.)

Yup.

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQCVAwUBNWJvKhN3Wx8QwqUtAQEWtQP/VudY/fcq97QQqL3oh4z/HY8v9DabCoyz
NL4uFOL/4PejwPL6yDgMfBpsA5DCPE2RGoLHcbxq2R+v0jXEcQy2MT2Br0RB3t1I
4ZP6O0mZI802FYFMkRxsHKf7RrELQKE2c64KLOCaOYt943y8QJK3PVlAiLM6eh3Z
TM0eco7NMnk=
=dK0g
-----END PGP SIGNATURE-----


+------------------------------------------------------------------+
|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
+------------------------------------------------------------------+

References:

Re: Certificate Expiration

From: Carl Ellison <cme@cybercash.com>

Certificate Expiration

From: Bill Frantz <frantz@netcom.com>

Re: Certificate Expiration

From: "Frank O'Dwyer" <fod@brd.ie>

Prev by Date: Re: "Fuzzy" SPKI (was Re: Certificate Expiration)
Next by Date: Re: "Fuzzy" SPKI (was Re: Certificate Expiration)
Prev by thread: Re: Certificate Expiration
Next by thread: "Fuzzy" SPKI (was Re: Certificate Expiration)
Index(es):
- Main
- Thread