[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KeyNote draft available

>At 11:07 PM -0800 3/13/98, Matt Blaze wrote:
>>Yes, that's correct.  But a credential that doesn't want to allow
>>deligation can test that the value of $action_signers is the same
>>as the key being authorized.  (This is admitedly a bit subtle, but
>>seems clearner than including an explict mechanism for this.  If
>>people insist, we could also include some kind of $cert_depth
>>magic variable that gives the "distance" from the action_signers.
>>But I'd have to think about the implications of doing this).
>This does not prevent delegation by CAs, though, does it?  (Just trying
>to clarify KeyNote semantics, ignoring the question of whether it is a
>good idea to try to prevent such delegation.)
>I authorize a CA like this:
>        VERSION: 1
>        SIGNER: Policy
>        KEY-PREDICATE: dsa-sha1-pkcsX:6:def456
>        TRUST-PREDICATE: (($app_domain="RFC822-EMAIL") &&
>                          ($address ~= "^.*@research.att.com$"))
>Now key def456 is an authorized CA within research.att.com.  But it
>can delegate that authority (avoiding the T word in deference to Ed
>Gerck...) with:
>        VERSION: 1
>        SIGNER: dsa-sha1-pkcsX:6:def456
>        KEY-PREDICATE: rsa-sha1-pkcsX:6:123aaa
>        TRUST-PREDICATE: (($app_domain="RFC822-EMAIL") &&
>                          ($address ~= "^.*@research.att.com$"))
>Your idea of testing $action_signers in the policy credential won't work
>here, because typically $action_signers is the end-user key, not the CA
>key.  So is it true that in this case there is no control over delegation?

Yes, that's right.  If you allow delegation at all, nothing in the current
KeyNote semantics limits the extent of the delegation permitted.
I think this is a reasonable limitation, but if anyone can come up with
a non-wildly-hypothetical application that this breaks, I'd be willing
to add  some mechanism do deal with this case.  (Actually, I'd suggest
that applications that require such complex policies should probably
use PolicyMaker, which handles such things reasonably easily).