[e-lang] RE: [cap-talk] The KeyNote Trust-Management System (fwd)

Karp, Alan H alan.karp at hp.com
Tue Aug 30 13:25:44 EDT 2005 

Further thoughts I had in the shower this morning.

I said:
> > 
> > Except that now you have no accountability: Alice and Bob are 
> > indistinguishable from the perspective of the system. 
>				(snip) 
> Accountability only makes sense if the administrator knows 
> who Bob is.  That's a problem of distributed identity 
> management, something KeyNote nicely avoids.  
> 
There's nothing wrong with requiring that Bob also sign with his own
private key.  If the administrator knows who Bob is, i.e., knows Bob's
public key, then there is full accountability.  If the administrator
doesn't know who Bob is, the signature can be forwarded to Alice who
does.  (The administrator knows it's Alice because a different one off
key pair is used for each user given a right.)  Responsibility can be
passed down the delegation path as in a chain reaction car accident.
Each party is fully responsible unless blame can be put on someone else.
In other words, if Alice doesn't want to identify Bob to the
administrator, then Alice suffers the consequences.

Even with KeyNote the way it's described, Alice can hide Bob's identity
from the administrator.  All she does is create a credential to a one
off private key and send the key and credential to Bob.  The
administrator won't be able to identify Bob and will have no recourse
but to put the blame on Alice.  I just don't see what you gain from the
expense of unwinding a long delegation chain.

In a separate email, Angelos Keromytis wrote:
>>
>>The argument we make is that revocation is orthogonal: you can
>>build your revocation outside the scope of the authorization --- you
>>simple remove the revoked credentials from the list of assertions you
>>consider during evaluation. I personally prefer short-lived 
>>certificates, but there's nothing that stops you from using CRLs or
>>OCSP.
>>
Short lived certificates need to be refreshed.  In the limit of very
short lifetimes, you've got an on-line system, which loses one of the
advantages of using certificates.  

I don't understand what credentials you remove from the list of
assertions or what you revoke with a CRL.  Say that the administrator
has given Alice several assertions and wants to revoke one of them.  Her
public key will appear as licensee in all of them.  Are you saying that
the administrator will remove her key from some of them but not all?
Similarly, what goes in the CRL?  It can't be Alice's public key.  That
would revoke all of her rights.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Type: text/x-vcard
Size: 433 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/e-lang/attachments/20050830/42375e0e/KarpAlanH.vcf

More information about the e-lang mailing list