[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
KeyNote examples - correct version
Oops - I sent an old editor backup instead of the real file.
Here's the correct version:
-matt
In the interest of readability, these examples use much shorter
keys than would ordinarily be used. Note that the "SIGNATURE"
fields in these examples do not represent the result of any real
signature calculation.
1. TRADITIONAL CA / EMAIL
A. A policy unconditionally delegating trust to the holder of RSA
key abc123:
VERSION: 1
SIGNER: policy
KEY-PREDICATE: rsa-sha1-pkcsX:6:abc123;
TRUST-PREDICATE: true
B. A credential assertion in which RSA Key abc123 trusts either
DSA key def456 or RSA key 123aaa to perform actions in which
the "app_domain" is "rfc822-email", the "name" is either
"M. Blaze" or empty, and the "address" matches the regular
expression "^.*@keynote.research.att.com$". In other
words, abc123 trusts def456 and 123aaa as certification
authorities for the keynote.research.att.com domain.
VERSION: 1
SIGNER: rsa-sha1-pkcsX:6:abc123
KEY-PREDICATE: dsa-sha1-pkcsX:6:def456 ||
rsa-sha1-pkcsX:6:123aaa
TRUST-PREDICATE: (($app_domain="RFC822-EMAIL") &&
($address ~= "^.*@keynote.research.att.com$"))
SIGNATURE: rsa-md5-pkcsX:16:00112233445566a3
C. A certificate credential for a specific user, issued by one of
the certification authorities above:
VERSION: 1
SIGNER: dsa-sha1-pkcsX:6:def456
KEY-PREDICATE: dsa-sha1-pkcsX:6:01a32f
TRUST-PREDICATE: (($app_domain="RFC822-EMAIL") &&
($name = "M. Blaze" || $name = "") &&
($address="mab@keynote.research.att.com"))
SIGNATURE: rsa-sha1-pkcsX:16:f43a2c81ffea129d
D. Another certificate credential for a specific user, issued by one
of the certification authorities above. This one allows three
different keys to sign as jf@keynote.research.att.com (each with
a different crypto algorithm). Three credentials in one:
VERSION: 1
SIGNER: dsa-sha1-pkcsX:6:def456
KEY-PREDICATE: dsa-sha1-pkcsX:6:22a413 ||
rsa-sha1-pkcsX:8:1d024811 ||
rsa-md5-pkcsX:10:3a4f55220e
TRUST-PREDICATE: (($app_domain="RFC822-EMAIL") &&
($name = "J. Feigenbaum" || $name = "") &&
($address="jf@keynote.research.att.com"))
SIGNATURE: rsa-sha1-pkcsX:16:80ab4186d01744cc
Observe that under policy A and credentials B, C and D, the following
action environments are accepted:
$action_signer = "dsa-sha1-pkcsX:6:01a32f"
$app_domain = "RFC822-EMAIL"
$address="mab@keynote.research.att.com"
and
$action_signer = "dsa-sha1-pkcsX:6:01a32f"
$app_domain = "RFC822-EMAIL"
$address="mab@keynote.research.att.com"
$name="M. Blaze"
while the following are not accepted:
$action_signer = "dsa-sha1-pkcsX:6:01a32f"
$app_domain = "RFC822-EMAIL"
$address="angelos@dsl.cis.upenn.edu"
and
$action_signer = "dsa-sha1-pkcsX:6:22a413
$app_domain = "RFC822-EMAIL"
$address="mab@keynote.research.att.com"
$name="M. Blaze"
and
$action_signer = "dsa-sha1-pkcsX:6:01a32f"
$app_domain = "RFC822-EMAIL"
$address="mab@keynote.research.att.com"
$name="J. Feigenbaum"
E. Here's a credential that does not allow delegation to another key:
VERSION: 1
SIGNER: dsa-sha1-pkcsX:6:def456
KEY-PREDICATE: dsa-sha1-pkcsX:6:410011
TRUST-PREDICATE: ($app_domain="RFC822-EMAIL") &&
($action_signers="dsa-sha1-pkcsX:6:410011") &&
($name = "A. Keromytis" || $name = "") &&
($address="angelos@keynote.research.att.com")
SIGNATURE: rsa-sha1-pkcsX:16:112358aabbccddee
Now, even if we add a credential:
VERSION: 1
SIGNER: dsa-sha1-pkcsX:6:410011
KEY-PREDICATE: dsa-sha1-pkcsX:6:dadada
TRUST-PREDICATE: true
SIGNATURE: rsa-sha1-pkcsX:16:112358aabbccddee
we still won't accept this action environment:
$action_signer = "dsa-sha1-pkcsX:6:dadada"
$app_domain = "RFC822-EMAIL"
$address="angelos@keynote.research.att.com"
$name="A. Keromytis"
Although, of course, we would accept:
$action_signer = "dsa-sha1-pkcsX:6:410011"
$app_domain = "RFC822-EMAIL"
$address="angelos@keynote.research.att.com"
$name="A. Keromytis"
2. WORKFLOW/ELECTRONIC COMMERCE
F. A policy that delegates authority for the "SPEND" application
domain to RSA key bbc1ab when @dollars is less than 10000.
VERSION: 1
SIGNER: policy
KEY-PREDICATE: rsa-sha1-pkcsX:6:bbc1ab
TRUST-PREDICATE: ($app_domain="SPEND") &&
(@dollars < 10000)
G. RSA key bbc1ab requires the signature of at least 2 signers,
one of which must be DSA key 44aabb in the "SPEND" application
when @dollars is less than 5000
VERSION: 1
SIGNER: rsa-sha1-pkcsX:6:bbc1ab
KEY-PREDICATE: dsa-sha1-pkcsX:6:44aabb &&
(rsa-sha1-pkcsX:6:ffb1c4 ||
dsa-sha1-pkcsX:6:c2d100 ||
dsa-sha1-pkcsX:6:6a5023 ||
dsa-sha1-pkcsX:4:dead ||
dsa-sha1-pkcsX:4:beef)
TRUST-PREDICATE: ($app_domain="SPEND") &&
(@dollars < 5000)
SIGNATURE: rsa-sha1-pkcsX:10:ffab110c761b41cd
H. As above, but only one signer required if @VALUE < 100.
VERSION: 1
SIGNER: rsa-sha1-pkcsX:6:bbc1ab
KEY-PREDICATE: (dsa-sha1-pkcsX:6:44aabb ||
rsa-sha1-pkcsX:6:ffb1c4 ||
dsa-sha1-pkcsX:6:c2d100 ||
dsa-sha1-pkcsX:6:6a5023 ||
dsa-sha1-pkcsX:4:dead ||
dsa-sha1-pkcsX:4:beef)
TRUST-PREDICATE: ($app_domain="SPEND") &&
(@dollars < 100)
SIGNATURE: rsa-sha1-pkcsX:10:a000ff1c0a44ccdd
Under policy F and credentials G and H, we accept:
$action_signer = "dsa-sha1-pkcsX:6:444aabb"
$app_domain = "SPEND"
@dollars = 45
$unmentioned_variable="whatever"
and
$action_signer = "dsa-sha1-pkcsX:4:dead, dsa-sha1-pkcsX:4:beef"
$app_domain = "SPEND"
@dollars = 550
and
$action_signer = "dsa-sha1-pkcsX:6:44aabb, dsa-sha1-pkcsX:4:dead"
$app_domain = "SPEND"
@dollars = 2500
and
$action_signer = "rsa-sha1-pkcsX:6:bbc1ab"
$app_domain = "SPEND"
@dollars = 2000
However, the following are not accepted:
$action_signer = "dsa-sha1-pkcsX:4:dead"
$app_domain = "SPEND"
@dollars = 550
and
$action_signer = "dsa-sha1-pkcsX:4:dead, dsa-sha1-pkcsX:4:beef"
$app_domain = "SPEND"
@dollars = 2500
3. COMMAND AND CONTROL AUTHORIZATION
I. A policy that at least two signers are required to authorize the
launch of missiles against London or Moscow.
VERSION: 1
SIGNER: policy
KEY-PREDICATE: 2-of(dsa-sha1-pkcsX:6:44aabb,
rsa-sha1-pkcsX:6:ffb1c4,
dsa-sha1-pkcsX:6:c2d100,
dsa-sha1-pkcsX:6:6a5023,
dsa-sha1-pkcsX:4:dead,
dsa-sha1-pkcsX:4:beef)
TRUST-PREDICATE: ($app_domain="NUKE") &&
($action="launch") &&
($delivery_system="missile") &&
(($target="moscow") || ($target="london"))