[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Final Year Thesis : SPKI


At 08:26 AM 6/29/98 -0700, Lynn.Wheeler@firstdata.com wrote:
>Of course I need to do a little munging of my own web site ... payment
>& glossary is currently:
>public key infrastructure (PKI)
>     Public and private keys, digital certificates, certification
>authorities, certificate revocation lists, and the
>     standards that govern the use and validity of these elements make up
>an infrastructure where principals
>     can engage in private and non-repudiable transactions. This
>combination is called the Public Key
>     Infrastructure. [misc] (includes account authority digital signature,
>authentication, certification authority
>     digital signature )

Much of the definition of "PKI" has been borrowed from 10+ years of 
development of X.500/X.509/PEM, so I probably shouldn't be surprising that 
terms like CA and CRL end up in a definition.  It's also not surprising that 
"certificate" ends up being defined as "digitally signed record binding a 
distinguished name to a key", at least in many people's minds.

Now that we're actually looking at public key certification without the need 
to pay homage to X.500, a number of these particular implementation choices 
go away from the definitions and return to the status of one-of-many 
implementation choices.  The end result is the same.  We are all trying to 
achieve secure use of public keys for particular purposes.

IMHO, one of the most important contributions of the SPKI work has been the 
discovery that the old idea of global name (DN) as identifier (upon which 
X.500/X.509/PEM was originally based) has been shown to be seriously flawed,
not just philosophically but via concrete security flaws.

 - Carl

Version: PGP for Personal Privacy 5.5.3


|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
From ???@??? Mon Jun 29 13:15:42 1998
Received: by mis01.reston.cybercash.com; id MAA17488; Mon, 29 Jun 1998 12:33:13 -0400 (EDT)
Received: by callandor.cybercash.com; id MAA26085; Mon, 29 Jun 1998 12:32:16 -0400
Received: from blacklodge.c2.net( by callandor.cybercash.com via smap (3.2)
	id xma026022; Mon, 29 Jun 98 12:32:06 -0400
Received: (from majordom@localhost) by blacklodge.c2.net (8.8.5/8.7.3) id JAA15146 for spki-outgoing; Mon, 29 Jun 1998 09:29:19 -0700 (PDT)
X-Authentication-Warning: blacklodge.c2.net: majordom set sender to owner-spki@c2.org using -f
Reply-To: <hallam@ai.mit.edu>
From: "Phillip Hallam-Baker" <hallam@ai.mit.edu>
To: "Ed Gerck" <egerck@laser.cps.softex.br>,
        "Judie Mulholland" <judiemul@kc-inc.net>
Cc: <DoWneR@mail.dma.be>, <spki@c2.net>
Subject: RE: Final Year Thesis : SPKI
Date: Mon, 29 Jun 1998 12:26:19 -0400
Message-ID: <002e01bda37a$a5421170$01060606@goedel>
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
Importance: Normal
In-Reply-To: <Pine.LNX.3.95.980628162234.13732o-100000@laser.cps.softex.br>
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4
Sender: owner-spki@c2.net
Precedence: bulk

> From: owner-spki@c2.net [mailto:owner-spki@c2.net]On Behalf Of Ed Gerck
> >On Sun, 28 Jun 1998 DoWneR@mail.dma.be wrote:
> >
> >> 
> >> My name is Olivier Dellicour. I'm 24, I'm Belgian and I live in 
> >> Brussels. I'm a Business Ingeneer student and like every students 
> >> around the world I have to write a final year thesis. Mine is about 
> >> electronic certification and SPKI. I have to compare SPKI 
> >> certificate and its competitors (X.509, ...) and demonstrate that 
> >> SPKI is better (at least try to !!!). As you can imagine, I'm not a 
> Olivier:
> Comparing SPKI with X.509 is like comparing apples and speedboats. 
> In spite of its name, SPKI is NOT a PKI and does not allow a PKI to
> be built with it. Neither with SDSI, in SPKI/SDSI. 
> Further, SPKI addresses the question of "what" and only to the issuer
> -- while X.509 addresses "who" and "what" and not only to the issuer.
> Further, as a general rule, it is not advisable to set goals of what
> you want to demonstrate before studying the subjects -- because the
> subjects may not be even comparable, as the case at hand..

Actually for a final year project thesis, impartial, disinterested
research is probably not expected. Being able to put together
a coherent argument on a technical topic is probably the most that
is hoped for at undergraduate level.

Better for what? If you want to deploy an ecommerce solution today
the X.509 is the only PKI in which the legal and technical issues
have been fully addressed. If on the other hand you wish to perform
original research then it is sometimes better to start from a clean

In point of fact X.509 and SPKI may well converge at some future point.
X.509 has an extension mechanism which allows X.509v3 certificates to
be issued with SPKI semantics. Provided these extensions are marked 
critical there is no conflict. This does not address the ASN.1 issue
but syntax only affects those writing code for parsers.

I would not suggest that someone who is not a 100% tech guy embark upon
such a project however. Comparing X.509 with SPKI is unlikely to be
usefull without an understanding of the underlying technology. A more
feasible project might well be to focus on the business and legal 
issues. For example there is an established legal infrastructure for
X.509 based on the use of a Certificate Practices Statement and
Relying party agreement. How does the SPKI model relate to such 
constructs? What liability and risk models are practical? What role
is there for trusted third parties and what business models are