[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: X.509 ACs vs. SPKI?
A lot of SPKI concepts can be found in PGPticket
OpenPGP specifies message formats and certificate formats used for
exchange of encrypted and/or authenticated objects. This document
discusses methods of extending OpenPGP's message formats to support
an authorization system. This system would use public key
cryptography to authenticate a user to a server and establish the
user's access permissions. The concept is that the user acquires a
ticket signed by some issuer that specifies what they are entitled to
do. That ticket is then submitted to a server. The server uses a
challenge/response method to verify that the holder really has the
matching private key. The server then allows the access specified.
On 5/12/99, Men from Black Helicopters forced "Ari Huttunen" to write :
>Has someone made a comparison of what can / cannot be done
>in X.509 Attribute Certificates (draft-ietf-pkix-ac509prof-00.txt)
>that can be done with SPKI certificates? Would there be some ideas
>in SPKI that could be used to enhance X.509 ACs?
>My aim here is very pragmatic. I don't observe SPKI as going
>forward, so I would like X.509 ACs to be able to do as much as
>For the sake of conversation, here's a proposal how SPKI certificates
>could be put inside X.509 ACs. I certainly do not claim that this
>works as-is, but it might be made to work.
>1) The server checking X.509 ACs is also acting as the CA that
> issues those ACs.
>2) The SPKI certificate security fields are mapped as follows:
> Issuer = refers to the X.509 certificate of the server.
> Subject = refers to the X.509 certificate of the client.
> Delegation = ..as in SPKI..
> Authority = ..as in SPKI..
> Validity = attrCertValidityPeriod
> Ari Huttunen
>Content-Type: text/x-vcard; charset=us-ascii;
>Content-Description: Card for Ari Huttunen
>Attachment converted: G3:Ari.Huttunen.vcf (TEXT/R*ch) (00038B7C)
Those who hammer their swords into plows,
will plow for those who don't."