[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KeyNote draft available

One other point - it appears that all authorizations can be delegated
indefinitely, right?  If one key grants an authority to a second, the
second key can pass the authority on to a third in any way it likes?

In the CA example, KeyNote accepts:

        $action_signer = "dsa-sha1-pkcsX:6:01a32f"
        $app_domain = "RFC822-EMAIL"
        $name="M. Blaze"

but if there were an additional credential:

        VERSION: 1
        SIGNER: dsa-sha1-pkcsX:6:01a32f
        KEY-PREDICATE: rsa-sha1-pkcsX:6:112233
        TRUST-PREDICATE: true
        SIGNATURE: dsa-sha1-pkcsX:10:f43a2c81ffea129d

this would allow key 01a32f to pass its authority on to key 112233.

So KeyNote would then also accept:

        $action_signer = "rsa-sha1-pkcsX:6:112233"
        $app_domain = "RFC822-EMAIL"
        $name="M. Blaze"

and the end user has the power to bind his name to alternate keys?

In some contexts this may be permissible and appropriate, but perhaps
not in others, if the end users are not trusted.

Perhaps it would be the application's responsibility to make sure that
it only provides appropriate credentials, and in this case it should
not have provided that last one?