[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Resolving groups?


Ellison, Carl M wrote:
> (subject (name (hash md5 |abc...|) fred sam george mary))
> reduces to
> (subject (name (hash md5 |def...|) sam george mary))
> if there is a
> (cert
>   (issuer (name (hash md5 |abc...|) fred))
>   (subject (hash md5 |def...|))
>  ...
> )
> If there are multiple such certificates, then there are multiple 
> reductions.
> The machinery is straight-forward. The semantics is a different 
> issue. 

I am not sure the machinery is indeed straightforward, nor can
I imagine cases where you would want to resolve names relative
to groups.

If, while you are in the middle of reducing a certificate chain,
you happen to resolve a name relative to a group (which you would 
have no way of knowing in advance), you would have to deal with 
*a set* of pricipals rather than a single one. If resolution has
to continue, how are you going to proceed? Would you require
that all group members resolve names to the same subjects in

> For this to really make sense, defining a group, one would need some

> convention about name assignments.  Such conventions
> are not part of SDSI or SPKI thinking, but they're always possible 
> (just as the PGP documentation points out that one can always create

> a signing hierarchy using PGP's key signing).
> For example, one might have a group named Senior_VPs and then refer
>   (subject (name (hash md5 |abc...|)
>             Senior_VPs Personal_assistant))
> to refer to those assistants.
> I can imagine issuing such a certificate, granting some
> and then sending out a note to all the Senior_VPs with that
certificate -- 
> for them to pass along to relevant persons, if they so choose.  In
> process of passing the certificate along, they might also need to
> the appropriate name certificate(s).
> I don't know if this makes sense as a way authorization certificates
> will be used, but it's a possibility.

I do agree that you would want to pass along authorizations to group
members and be able to verify that, given that all necessary
are presented, but my point is that name resolution either needs to be

ruled out are has to be given a more precise meaning. The only helpful
convention I can imagine is that the issuer who delegates an
to a group is responsible to issue *reduced* certificates so that 
group members are targeted directly. Thus, these certificates can be
used directly because names in certificates do not need to be further

- --
Gerald Brose,                       Mail:       brose@inf.fu-berlin.de
FU Berlin        (for PGP key see:) http://www.inf.fu-berlin.de/~brose
Institut f. Informatik              Ph-one:        (++49-30) 838-75112
Berlin, Germany                     Ph-ax:         (++49-30) 838-75109

Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>