[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

S2ML, Thin PKI and SPKI

To: Camillo Särs <Camillo.Sars@xxxxxxxxxxxx>
Subject: S2ML, Thin PKI and SPKI
From: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Date: Fri, 15 Dec 2000 14:25:11 +0100
Cc: "PKIX-List" <ietf-pkix@xxxxxxx>
References: <> <>

Hi Camillo,

> Anders Rundgren wrote:
> > The concept in a nutshell: When you engage in inter-organizational 
> > activities you let an "organization server" vouch for its employees 
> > (clients) by signing (AC-like) credentials on the fly for
> > authentication, and signing outgoing transactions on the clients 
> > request. All this without using any direct PKI-based "connection" 
> > between the client and the RP.   BTW, the client does not even have to
> > use PKI!
> 
> This is beginning to sound familiar, although you are still relying heavily
> on the "on-line trusted party" role.  Which is fine in some cases, but not
> generally applicable nor stricly speaking always necessary.

The reason for having the on-line trusted party (sort of real-time attribute CA) is that
it can generate whatever credential you need, when you need it, and without any
distribution or installation.   For O2O authentications I would say that it is
generally applicable.  It is a pure convenience solution.

<snip>

> and what you effectively have is very close the semantics of SPKI.

But without the distribution hassles.

> In certificate systems where authorizations are higly granular, atomic and
> limited, the risk introduced by improper use of a private key or the
> compromise of the signing system is significantly smaller. 

Actually I am much less confident that S2ML's authorization system will be that popular,
as there are other solutions like OBI, that keeps authorizations "at home".  And
the kind of granularity you have "at home" can be anything from getting a "Yes"
from the boss, to fully rule-based systems where each individual can do only
exactly what he/she is supposed to do.  To the outside world there is for most
outgoing messages, no real visible authorization.  Small order, large order,
they all look the same.

>As a matter of
> fact, I believe this is the only way we can ever make PKI-based eCommerce
> work outside laboratories.

You refer to SPKI here I guess?  A bit unfortunate for SPKI, is that it has been shunned by´
the "big ones" and S2ML will just make this worse.

Or did I get that wrong?

/anders

Follow-Ups:
- Re: S2ML, Thin PKI and SPKI
  - From: Camillo Särs

References:
- Thin PKI won - You lost
  - From: Anders Rundgren
- Re: Thin PKI won - You lost
  - From: Camillo Särs

Prev by Date: Re: Thin PKI won - You lost
Next by Date: Re: S2ML, Thin PKI and SPKI
Previous by thread: Re: Thin PKI won - You lost
Next by thread: Re: S2ML, Thin PKI and SPKI
Index(es):
- Date
- Thread