Re: [Botan-devel] OT: SPKI
Brought to you by:
randombit
Menu
▾
▴
Re: [Botan-devel] OT: SPKI
|
From: Sean R. <sra...@bl...> - 2003-06-26 18:37:02
|
On Wed, 2003-06-25 at 18:44, Jack Lloyd wrote: > On 24 Jun 2003, Sean Radford wrote: > > > Hi, > > > > Just wondering, have people on this list come across Simple Public Key > > Infrastructure, and if so what are their thoughts? > > I've looked at some docs (mostly the RFCs) a few months ago. It seems nice. > Almost certainly easier/saner to implement than X.509 (but what isn't?). > The sexps I'm not a huge fan of, it seems like they'd be a bit tricky to > process (at least in C/C++/Java - in Perl/Lisp/ML they'd probably be a > piece of cake). I totally agree about the SEXP format - there is an XML definition floating about too, though I haven't got round to finding/using it yet. > > SPKI seems to have a rather different idea about certificates than X.509 > (or even PGP). I get the impression reading RFC 2692 that the main uses > SPKI was being considered for are offline uses (that is, direct interaction > between, say, a smartcard and a reader), rather than over the network. > Offline use is apt, but its main design ethos was to mimic human interaction to negate the global naming problem, use a local trust model, and have integral authorisation. The more I've looked into it, it seems amazing it is so little known and used. > The main problem is lack of deployment, in particular since such > non-networked uses are more suited for SPKI (ie, you have to get hardware > vendor support). I have heard some rumblings that SSH and SSL are being > modified to support SPKI, though I haven't seen anything about it lately on > the IETF SSH or TLS lists. Haven't heard anything about this (SSH, TLS etc). Would be fantastic if they would. Something I may have to push sometime in the future... > > So, in summary, my opinion is that SPKI is much better suited to short-term > uses and offline uses (which are often related) than X.509. I have a > feeling this is largely X.509's own fault, though (you can do anything with > X.509 that you can do with SPKI, the problem being that if you do it in > X.509 it's not going to be portable and it will be awful to implement). > > How's your implementation work coming (if at all)? In progress. I've had to put my C++ implementation to the back of the pile at the moment :-( Having to concentrate of the J2EE Certificate Server and Web-based management console at present. Hopefully it'll all become an open source project one day in the near future - got to get that 'plausible promise'. Regards, Sean -- Dr. Sean Radford, MBBS, MSc <sra...@bl...> http://bladesys.demon.co.uk/ Blade Systems |
