Re: [Jsdsi-users] Certificates and Trust

[Sameer A. <aj...@gm...>]

SPKI should provide what you need.  SPKI name certificates provide a
very flexibly way to bind names to sets of keys and allows principals
to delegate names, e.g.:
K_MIT faculty -> K_MIT eecs_dept faculty
This says MIT's name "faculty" includes the keys in MIT's EECS
department's faculty.  This name is resolved by resolving "K_MIT
eecs_dept" to the EECS department key(s), then using that key to
resolve faculty.  And note that MIT can have another cert that adds
more keys to its faculty set, e.g.:
K_MIT faculty -> K_MIT physics_dept faculty

For membership in a particular organization, you might represent this
via names or via authorization certs; it depends on what you're trying
to achieve.  For example, name certs let you represent an organization
as a set of public keys, e.g.:
K_org_manager organization_members -> K_sameer
This cert says the organization manager defines the groups
"organization members" to include my public key.
K_org_manager organization_members ->
  K_org_manager organization_members organization_members
This cert says that organization members can further add more members
via their own "organization_members" groups.

But you can achieve some more flexibility with auth certificates.  In
particular, it's easies to express delegation of authority, and you
can express more than just membership:
K_org_manager (tag (* set member)) -> K_sameer
K_org_manager (tag (* set member manager)) -> K_somaya

These two certs delegate the "member" authorization to you and me, and
also delegate the "manager" authorization to you.  The *application*
(i.e., access controller) for the group must interpret these
authorization tags -- SPKI/SDSI doesn't interpret tags, it just knows
how to combine them.

Finally, note that the object of a certificate (the right-hand-side)
need not be a key; it can be an "ObjectHash", i.e., an identifier for
an arbitrary object.  In particular, this ObjectHash could refer to a
capability object that you define.  But I think an auth certificate is
a more direct way of representing a capability in SPKI/SDSI.

S

On 10/25/05, Somaya Aboulwafa <som...@ya...> wrote:
> Hi all,
> I am working on a project that is supposed to build
> trust management system. And I want to decide the type
> of certificate to work with. However I'm a little bit
> confused as i don't have a strong background in PKI, I
> don't whether to use X.509v3 or SPKI certificates. So
> I would be really grateful if you answered my
> inquiries.
>
> First, in my system I need identity certificates,
> authorization certificates, and capability
> certificates. For Identity certificates, I need it not
> just to bind public keys to names, however I need it
> to bind the public key to more specific information
> (e.g. membership in a certain organization, age,
> student in a certain school, etc). For the capability
> certificate, I need it to bind the public key to a
> certain capability (e.g. providing a certain service)
> .. so which of them do u think is more appropriate in
> my case?
>
> Second, and incase of SPKI is more appropriate, do you
> think JSDSI would would be useful for me? I want a
> tool that let me create/generate spki certificates,
> delegate certificates, verify certificates and
> certification paths.
>
> Any further advice in this track is much appreciated.
> Thanks in advance
> Somaya
>
>
>
> __________________________________
> Yahoo! FareChase: Search multiple travel sites in one click.
> http://farechase.yahoo.com
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.
> Get Certified Today * Register for a JBoss Training Course
> Free Certification Exam for All Training Attendees Through End of 2005
> Visit http://www.jboss.com/services/certification for more information
> _______________________________________________
> Jsdsi-users mailing list
> Jsd...@li...
> https://lists.sourceforge.net/lists/listinfo/jsdsi-users
>
>


--
Sameer
http://ajmani.net