Browse Prior Art Database

SPKI Certificate Theory (RFC2693)

IP.com Disclosure Number: IPCOM000003286D
Original Publication Date: 1999-Sep-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 35 page(s) / 90K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

B. Frantz: AUTHOR [+6]

Abstract

The SPKI Working Group has developed a standard form for digital certificates whose main purpose is authorization rather than authentication. These structures bind either names or explicit authorizations to keys or other objects. The binding to a key can be directly to an explicit key, or indirectly through the hash of the key or a name for it. The name and authorization structures can be used separately or together. We use S-expressions as the standard format for these certificates and define a canonical form for those S-expressions. As part of this development, a mechanism for deriving authorization decisions from a mixture of certificate types was developed and is presented in this document.

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 3% of the total text.

Network Working Group C. Ellison

Request for Comments: 2693 Intel

Category: Experimental B. Frantz

Electric Communities

B. Lampson

Microsoft

R. Rivest

MIT Laboratory for Computer Science

B. Thomas

Southwestern Bell

T. Ylonen

SSH

September 1999

SPKI Certificate Theory

Status of this Memo

This memo defines an Experimental Protocol for the Internet

community. It does not specify an Internet standard of any kind.

Discussion and suggestions for improvement are requested.

Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1999). All Rights Reserved.

Abstract

The SPKI Working Group has developed a standard form for digital

certificates whose main purpose is authorization rather than

authentication. These structures bind either names or explicit

authorizations to keys or other objects. The binding to a key can be

directly to an explicit key, or indirectly through the hash of the

key or a name for it. The name and authorization structures can be

used separately or together. We use S-expressions as the standard

format for these certificates and define a canonical form for those

S-expressions. As part of this development, a mechanism for deriving

authorization decisions from a mixture of certificate types was

developed and is presented in this document.

This document gives the theory behind SPKI certificates and ACLs

without going into technical detail about those structures or their

uses.

Table of Contents

1. Overview of Contents.......................................3

1.1 Glossary..................................................4

2. Name Certification.........................................5

2.1 First Definition of CERTIFICATE...........................6

2.2 The X.500 Plan and X.509..................................6

2.3 X.509, PEM and PGP........................................7

2.4 Rethinking Global Names...................................7

2.5 Inescapable Identifiers...................................9

2.6 Local Names..............................................10

2.6.1 Basic SDSI Names.......................................10

2.6.2 Compound SDSI Names....................................10

2.7 Sources of Global Identifiers.......................