[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Resolving groups?

Hash: SHA1


	that is a good question.

(subject (name (hash md5 |abc...|) fred sam george mary))

reduces to 

(subject (name (hash md5 |def...|) sam george mary))

if there is a

  (issuer (name (hash md5 |abc...|) fred))
  (subject (hash md5 |def...|))

If there are multiple such certificates, then there are multiple reductions.

The machinery is straight-forward.

The semantics is a different issue.  For this to really make sense, defining
group, one would need some convention about name assignments.  Such
are not part of SDSI or SPKI thinking, but they're always possible (just as
PGP documentation points out that one can always create a signing hierarchy
using PGP's key signing).

For example, one might have a group named Senior_VPs and then refer to:

  (subject (name (hash md5 |abc...|)
            Senior_VPs Personal_assistant))

to refer to those assistants.

I can imagine issuing such a certificate, granting some authorization, and
sending out a note to all the Senior_VPs with that certificate -- for them
pass along to relevant persons, if they so choose.  In the process of
the certificate along, they might also need to create the appropriate name

I don't know if this makes sense as a way authorization certificates will be
used, but it's a possibility.

Thanks for asking the question.  I will look for a way to work this into the
docs -- or, if not the RFCs, then some paper on the topic.

 - Carl

- -----Original Message-----
From: Gerald Brose [mailto:brose@inf.fu-berlin.de]
Subject: Q: Resolving groups?


Perhaps this is a silly question or it has been asked before, but I 
need some help regarding the resolution of names that were introduced 
in name certificates. In section 5 spki-cert-structure-05.txt, p.23 ff, 
name certs are  described as defining groups, i.e. there can be multiple 
name certs by a single issuer for the same name but different subjects. 
This is straightforward, useful and obviously neccessary.

In section 5.3, however, the draft talks about reducing such a name.
What is it reduced to if there are multiple subjects with that name,
i.e. if the group has multiple members? If, e.g., "fred" is such a
group name (relative to hash md5 |abc...|), I don't see how you can
use it in situations like 

(subject (name (hash md5 |abc...|) fred sam george mary).

What does it mean to resolve sam relative to a group? Am I 
missing something obvious?

Thanks, regards and a Happy New Year, 
Gerald Brose.
- --
Gerald Brose,                       Mail:       brose@inf.fu-berlin.de
FU Berlin        (for PGP key see:) http://www.inf.fu-berlin.de/~brose
Institut f. Informatik              Ph-one:        (++49-30) 838-75112
Berlin, Germany                     Ph-ax:         (++49-30) 838-75109

Version: PGP Personal Privacy 6.0.2