[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: X.509 ACs vs. SPKI?
On Tue, Jun 01, 1999 at 05:03:32PM -0700, Ed Gerck wrote:
> > It is not clear to me that you would want to revoke an identifier. An
> > identifier is just a byte string. The hash of the public key is a byte
> > string that you know is globally unique and is tied 1:1 with a private
> > key.
> In Logic, one distinguishes between material values and formal values.
> The formal value of the public-key hash is its byte string (as you say)
> and is immutable after issuance. On the other hand, the material value
> is what it denotes and this can change at any time -- for example, it may
> now denote a revoked key. Thus, the material value of the same formal
> identifier may change at any time.
But the binding between the key and the hash is the binding of
interest. That the key may have been revoked is not relevant to
Hashing an entire cert may indeed be useful, but precisely the same
argument applies -- certs are not completely self-contained
self-referential atoms; they have "material values" as well, and
those "material values" may change.
> In software engineering terms, the public-key hash is a pointer and we
> likewise distinguish between the pointer's value (which would be its
> value as a byte string ) and what it denotes (its validity, use, warranties,
> etc.) -- usually called its attributes.
However, this analogy is not accurate. What the hash "points" to
can't change -- notice the "1:1" in Carl's statement.
> Thus, likewise in Logic, I believe my sentence above is clear -- we need
> to be able to look up also the hash's material value, not only its formal
> value, if we are willing to designate any material significance to its use.
> That is why the hash alone cannot be used and such would be a serious
> security fault if you are dealing with material values.
But you are not dealing with "material values"... there is no
general way, in principle, to make a hash of "material values".
Kent Crispin "Do good, and you'll be
firstname.lastname@example.org lonesome." -- Mark Twain