[cap-talk] YURLs (or alternatives) and recording the delegation paths?

[Bill Frantz]

rmeijer at xs4all.nl (Rob) on Friday, June 9, 2006 wrote:

>Looking at the subject of auditing, I seem to run into the facts that
>proxy based delegation recording is rather akward in a distributed
>enviroment. As an alternative it occured to me that some form of (bound)
>YURLs may be constructed that could themselves record the delegation
>paths.
>
>The basic idea would be that some sort of bound yurl (byurl?) would
>contain information on who it was issued to. This party could than use it
>directly
>itself or delegate it, but on delegation would have to add information on
>who it is delegated to and would than have to sign this information.
>The resulting byurl would thus for all practical purposes have the same
>flexible use as regular yurls, but would contain a trace of the delegation
>path that is usable for auditing purposes. As an added bonus you would
>never need to worry about yurl theft as the byurl would need to be
>explicitly delegated to any party that would want to use it.
>
>I was wondering if anyone has done work on looking into that line of
>working, and if so what were the conclusions ?

At first blush, this idea sounds like SPKI.  SPKI capabilities are bound
to a specific private key.  When they are delegated, a delegation
certificate is created allowing another specific private key to use the
capability.  (The details are a bit more complex, but this is a bird's
eye view.)  More delegation certificates can be created lengthing the
chain.  If the chain gets too long, the verifier can produce a
Certificate Result Certificate which reduces the number of public key
operations needed to verify the chain of authority.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | gets() remains as a monument | Periwinkle 
(408)356-8506      | to C's continuing support of | 16345 Englewood Ave
www.pwpconsult.com | buffer overruns.             | Los Gatos, CA 95032