ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Principles and Principals

1997-09-25 15:14:39
from [Bonatti Chris] [Permanent Link] 
On Wed, 24 Sep 1997 23:05:30 -0700 (PDT), Patrick Richard 
<patr(_at_)xcert(_dot_)com> wrote:


Ian Brown wrote :

The PGP public-key is the principal.


...

I think this is a great way to look at it. Using the public key, its
hash or fingerprint as *the* DN allows all sorts of important
functionality like authorisations.


The major problem with 'key-principal' architectures is the
revocation problem.

When my key is revoked/changed/upgraded/whathaveyou all
bindings are lost.


Pat,

     This is certainly not a major problem in the environments 
with which I am most familiar.  Certificate revokation (due to 
invalidation of one of the pieces of information bound into 
the certificate) is far more common than key revokation (due to 
loss or compromise of the key).  The former occurs when jobs, 
mailboxes, roles, or sometimes even authorizations change.  This 
happens at a much higher rate than key loss.

     The only real way to mitgate this is to bind very little to 
the key.  However, this gives up much of the value that the 
certificate offers.

     This was one of the reasons that the attribute certificate 
emerged in X.509.  (There were other reasons too.)  It allowed a 
wide range of this "non-principal" binding data to be abstracted 
from the main structure.  This help to facilitate separate 
certificates for various functions.  Thus you can have one cert 
that just binds permanent info like a name or perhaps a 
lifetime identification (i.e., SSN) number to a key.  Other 
certificates containing info of a less permanent nature 
(i.e., organizational affiliations, authorizations, e-mail 
addresses) could then be revoked without destroying the user's 
cryptographic identity.

     There is great strength in this kind of modularity.  We 
should consider this concept in Open-PGP.

Chris


 ---------------------------------------------------------------
 |  International Electronic Communication Analysts, Inc.      |
 |  Christopher D. Bonatti                 9010 Edgepark Road  |
 |  Vice-president                     Vienna, Virginia 22182  |
 |  bonattic(_at_)ieca(_dot_)com   Tel: 301-212-9428   Fax: 703-506-8377  |
 |  PGP public key available from "http://www.ieca.com/";       |
 ---------------------------------------------------------------
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Principles and Principals, Ian Brown
Next by Date:  Re: Principles and Principals, Patrick Richard
Previous by Thread:  Re: Principles and Principals, Patrick Richard
Next by Thread:  Re: Principles and Principals, Patrick Richard
Indexes:  [Date] [Thread] [Top] [All Lists]