[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Resolving groups?
-----BEGIN PGP SIGNED MESSAGE-----
that is a good question.
(subject (name (hash md5 |abc...|) fred sam george mary))
(subject (name (hash md5 |def...|) sam george mary))
if there is a
(issuer (name (hash md5 |abc...|) fred))
(subject (hash md5 |def...|))
If there are multiple such certificates, then there are multiple reductions.
The machinery is straight-forward.
The semantics is a different issue. For this to really make sense, defining
group, one would need some convention about name assignments. Such
are not part of SDSI or SPKI thinking, but they're always possible (just as
PGP documentation points out that one can always create a signing hierarchy
using PGP's key signing).
For example, one might have a group named Senior_VPs and then refer to:
(subject (name (hash md5 |abc...|)
to refer to those assistants.
I can imagine issuing such a certificate, granting some authorization, and
sending out a note to all the Senior_VPs with that certificate -- for them
pass along to relevant persons, if they so choose. In the process of
the certificate along, they might also need to create the appropriate name
I don't know if this makes sense as a way authorization certificates will be
used, but it's a possibility.
Thanks for asking the question. I will look for a way to work this into the
docs -- or, if not the RFCs, then some paper on the topic.
- -----Original Message-----
From: Gerald Brose [mailto:email@example.com]
Subject: Q: Resolving groups?
Perhaps this is a silly question or it has been asked before, but I
need some help regarding the resolution of names that were introduced
in name certificates. In section 5 spki-cert-structure-05.txt, p.23 ff,
name certs are described as defining groups, i.e. there can be multiple
name certs by a single issuer for the same name but different subjects.
This is straightforward, useful and obviously neccessary.
In section 5.3, however, the draft talks about reducing such a name.
What is it reduced to if there are multiple subjects with that name,
i.e. if the group has multiple members? If, e.g., "fred" is such a
group name (relative to hash md5 |abc...|), I don't see how you can
use it in situations like
(subject (name (hash md5 |abc...|) fred sam george mary).
What does it mean to resolve sam relative to a group? Am I
missing something obvious?
Thanks, regards and a Happy New Year,
Gerald Brose, Mail: firstname.lastname@example.org
FU Berlin (for PGP key see:) http://www.inf.fu-berlin.de/~brose
Institut f. Informatik Ph-one: (++49-30) 838-75112
Berlin, Germany Ph-ax: (++49-30) 838-75109
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2
-----END PGP SIGNATURE-----