[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Where is Carl M. Ellison?
- To: carl.m.ellison@intel.com, cme@alum.mit.edu, cme@jf.intel.com, schadow@aurora.rg.iupui.edu
- Subject: RE: Where is Carl M. Ellison?
- From: Gunther Schadow <schadow@aurora.rg.iupui.edu>
- Date: Thu, 11 Mar 1999 12:57:47 -0500 (EST)
- Cc: blampson@microsoft.com, bt0008@entropy.sbc.com, frantz@netcom.com, perry@piermont.com, smb@research.att.com, spki@c2.net, ylo@ssh.fi
- Sender: owner-spki@c2.net
Carl,
thank you. The e-mail problems existed with acm.org and some earlier
address starting with "sw.???.com". They didn't know the user "cme".
What made me so anxious is that all HREFs I have for you (including
pobox) redirect to http://www.clark.net/pub/cme but that pub/cme
directory is unknown there. Moreover, if I get to the root of
www.clark.net, I am redirected to http://midatlantic.verio.net/ and
nothing seems to know you there. That's weird, isn't it? I can not
confirm your observation that any of the hosts involved is actually
down. They just don't know pub/cme or redirect into desert.
Thanks for the biblio reference.
> SPKI is alive and well. I'm here at Intel working on our
> implementation and use of it -- and of authorization in general, no
> matter what certificate mix people provide. I'll be happy to point
> people at details about that solution set.
> Meanwhile, there are a number of implementations based on the
> drafts and a handful of applications using them.
such as?
> As for SPKI vs. PKIX -- we're addressing different topics.
> PKIX is building support for identity certificates provided by CAs
> external to the user (typically a commercial entity or a corporate
> CA center). SPKI deals with direct authorization of keys and
> personal ID certs (via SDSI), not with central commercial CA
> support. I personally believe the SPKI approach is superior, of
> course, but we'll discover that as the years go by.
is it a reasonable strategy for a small self-developing user
organization to invest in both PKIX and SPKI? It seems to me that
there is nothing protocol-wise that PKIX can do and SPKI can not do.
> [Ob plug]: as part of the CDSA effort, through the OpenGroup, we
> have defined an authorization computation mechanism (as detailed in
> the theory document as 5-tuple reduction) which operates on
> certificates of all forms, not just SPKI. We have also defined
> support for certificates of the various X.509 flavors, SPKI/SDSI,
> and PGP. The objective of that effort is to give the implementer a
> choice of format, so that he can select the one that best fits his
> needs, but still allow him to do the full authorization computation
> as detailed in the SPKI documents. As I said, I believe the SPKI
> format meets these needs the best (most securely by a large factor,
> most simply and most directly) -- but we'll see what developers
> decide.
Thanks, that answers most of my questions.
regards
-Gunther
Gunther Schadow ----------------------------------- http://aurora.rg.iupui.edu
Regenstrief Institute for Health Care
1001 W 10th Street RG5, Indianapolis IN 46202, Phone: (317) 630 7960
schadow@aurora.rg.iupui.edu ---------------------- #include <usual/disclaimer>