[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Resolving groups?

To: "'Gerald Brose'" <brose@inf.fu-berlin.de>, "Ellison, Carl M" <carl.m.ellison@intel.com>
Subject: RE: Resolving groups?
From: "Ellison, Carl M" <carl.m.ellison@intel.com>
Date: Tue, 5 Jan 1999 11:46:29 -0800
Cc: "'spki@c2.net'" <spki@c2.net>
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gerald,

	that is a good question.


(subject (name (hash md5 |abc...|) fred sam george mary))

reduces to 

(subject (name (hash md5 |def...|) sam george mary))

if there is a

(cert
  (issuer (name (hash md5 |abc...|) fred))
  (subject (hash md5 |def...|))
 ...
)

If there are multiple such certificates, then there are multiple reductions.

The machinery is straight-forward.

The semantics is a different issue.  For this to really make sense, defining
a
group, one would need some convention about name assignments.  Such
conventions
are not part of SDSI or SPKI thinking, but they're always possible (just as
the
PGP documentation points out that one can always create a signing hierarchy
using PGP's key signing).

For example, one might have a group named Senior_VPs and then refer to:

  (subject (name (hash md5 |abc...|)
            Senior_VPs Personal_assistant))

to refer to those assistants.

I can imagine issuing such a certificate, granting some authorization, and
then
sending out a note to all the Senior_VPs with that certificate -- for them
to
pass along to relevant persons, if they so choose.  In the process of
passing
the certificate along, they might also need to create the appropriate name
certificate(s).

I don't know if this makes sense as a way authorization certificates will be
used, but it's a possibility.

Thanks for asking the question.  I will look for a way to work this into the
docs -- or, if not the RFCs, then some paper on the topic.

 - Carl


- -----Original Message-----
From: Gerald Brose [mailto:brose@inf.fu-berlin.de]
Subject: Q: Resolving groups?


Hello.

Perhaps this is a silly question or it has been asked before, but I 
need some help regarding the resolution of names that were introduced 
in name certificates. In section 5 spki-cert-structure-05.txt, p.23 ff, 
name certs are  described as defining groups, i.e. there can be multiple 
name certs by a single issuer for the same name but different subjects. 
This is straightforward, useful and obviously neccessary.

In section 5.3, however, the draft talks about reducing such a name.
What is it reduced to if there are multiple subjects with that name,
i.e. if the group has multiple members? If, e.g., "fred" is such a
group name (relative to hash md5 |abc...|), I don't see how you can
use it in situations like 

(subject (name (hash md5 |abc...|) fred sam george mary).

What does it mean to resolve sam relative to a group? Am I 
missing something obvious?

Thanks, regards and a Happy New Year, 
Gerald Brose.
- --
Gerald Brose,                       Mail:       brose@inf.fu-berlin.de
FU Berlin        (for PGP key see:) http://www.inf.fu-berlin.de/~brose
Institut f. Informatik              Ph-one:        (++49-30) 838-75112
Berlin, Germany                     Ph-ax:         (++49-30) 838-75109


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2

iQA/AwUBNpJsFcxqBGb+WvJAEQLFYACdElKQTIQh+i5vwDsKRwYvh6otNNIAmQER
nAvgarjzbjwnJljcUePqn0TR
=bbTG
-----END PGP SIGNATURE-----

Follow-Ups:

Re: Resolving groups?

From: Gerald Brose <brose@inf.fu-berlin.de>

Prev by Date: REMINDER: Jan 6th Early Bird Deadline for NDSS '99
Next by Date: Re: Resolving groups?
Prev by thread: REMINDER: Jan 6th Early Bird Deadline for NDSS '99
Next by thread: Re: Resolving groups?
Index(es):
- Main
- Thread