SDSI/SPKI background

Stefan Mink mink at schlund.net
Fri Jun 13 06:00:49 EDT 2003 

Hi Carl, 

On Wed, Jun 11, 2003 at 09:56:12PM -0700, Carl Ellison wrote:
> There's one draft that should have gone on to RFC, but people were
> using it from the draft instead.  It's my fault that we left it at
> that stage and didn't publish the RFC.  That's still on my list of
> things to do :-)  It seems that other work kept getting in the way.

I guess its the draft about the certificate structure?

> stand-alone product like PGP.  It's a tool to be used within other
> products.  It's also almost exclusively for a closed authorization
> infrastructure, rather than an open naming infrastructure.  In fact,

Is there a special reason why the authorisation system can't or
shouldn't be open here? Most systems and services are distributed and
are developed independently, so an open standard would be reasonable
here too, wouldn't it?

> under SPKI/SDSI thinking, a global naming instructure is not a proper
> use of one's time and energy.  This is doubtless why the PKI Vendors
> react with hostility toward SPKI/SDSI.

agreed :)

> Yes.  Check out KeyNote and PolicyMaker.  There are links to those
> from my web page.

I couldn't access the latter one but found a copy on citeseer

> Of course, you don't have to use certificates for authorization.  You
> can bind an authorization to a key in a protected database (a
> key-based ACL, in SPKI/SDSI terminology).  Samples of that are SSH
> and X9.59.

sure, but I like the idea of storing the privileges independent of the
service instance; of course there are drawbacks (revocation)...

> We went on to use it in products and research.
> 
> We were and are a group of developers and researchers, not standards
> writers.  Standards writing is fundamentally boring.

:)

Thanks &&
   tschuess
             Stefan Mink
-- 
Stefan Mink, Schlund+Partner AG (AS 8560)
Primary key fingerprint: 389E 5DC9 751F A6EB B974  DC3F 7A1B CF62 F0D4 D2BA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20030613/0c64efff/attachment.pgp>

More information about the cryptography mailing list