SDSI/SPKI background

Carl Ellison cme at acm.org
Thu Jun 12 00:56:12 EDT 2003


Hi Stefan,

At 10:57 AM 6/10/2003 +0200, Stefan Mink wrote:
>>Hi,
>
>I'm currently preparing courses about telecommunication security
>architectures and protocols of which certificates are a main
>building block for authentication and authorisation.
>
>I'm presenting the PKI/PMI-models with X.509 as mainly used
>architecture today and PGP as the distributed model.
>
>I also want to present SDSI/SPKI but as far as I know, work in this
>direction seems to have stopped: The IETF WG was closed and some
>drafts weren't finished as RFCs. Nevertheless there are interesting
>ideas which are worth showing in contrast to X.509.

IETF work on SPKI/SDSI was stopped.  We do not need to continue
adding new protocols to the SPKI/SDSI family.

There's one draft that should have gone on to RFC, but people were
using it from the draft instead.  It's my fault that we left it at
that stage and didn't publish the RFC.  That's still on my list of
things to do :-)  It seems that other work kept getting in the way.

But the uses of SPKI/SDSI have continued.  Check out

	http://theworld.com/~cme/html/spki.html

for implementations of and research papers on SPKI/SDSI.  There are a
few other implementations that have not been publicized, as well. 
SPKI/SDSI doesn't lead to an industry like PKI and isn't a
stand-alone product like PGP.  It's a tool to be used within other
products.  It's also almost exclusively for a closed authorization
infrastructure, rather than an open naming infrastructure.  In fact,
under SPKI/SDSI thinking, a global naming instructure is not a proper
use of one's time and energy.  This is doubtless why the PKI Vendors
react with hostility toward SPKI/SDSI.


>
>I still have two open points which I couldn't resolve by searching
>and reading:
>* Are there other authorisation certificate standards besides
>  SDSI/SPKI?

Yes.  Check out KeyNote and PolicyMaker.  There are links to those
from my web page.

There is also XACML and there is promised to be WS-Authorization.

Of course, you don't have to use certificates for authorization.  You
can bind an authorization to a key in a protected database (a
key-based ACL, in SPKI/SDSI terminology).  Samples of that are SSH
and X9.59.

>* What are the main reasons that work on SDSI/SPKI stopped although
>  much work was already done?

We went on to use it in products and research.

We were and are a group of developers and researchers, not standards
writers.  Standards writing is fundamentally boring.

>
>   tschuess
>             Stefan
>--
>Stefan Mink, Schlund+Partner AG (AS 8560)
>Primary key fingerprint: 389E 5DC9 751F A6EB B974  DC3F 7A1B CF62
>F0D4 D2BA  
>


Tschüss,

	Carl





+------------------------------------------------------------------+
|Carl M. Ellison         cme at acm.org     http://world.std.com/~cme |
|    PGP: 75C5 1814 C3E3 AAA7 3F31  47B9 73F1 7E3C 96E7 2B71       |
+---Officer, arrest that man. He's whistling a copyrighted song.---+

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list