datatracker.ietf.org
Sign in
Version 5.4.0, 2014-04-22
Report a bug

SPKI Certificate Theory
RFC 2693

Document type: RFC - Experimental (September 1999)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Document shepherd: No shepherd assigned

IESG State: RFC 2693 (Experimental)
Responsible AD: (None)
Send notices to: No addresses provided

Network Working Group                                         C. Ellison
Request for Comments: 2693                                         Intel
Category: Experimental                                         B. Frantz
                                                    Electric Communities
                                                              B. Lampson
                                                               Microsoft
                                                               R. Rivest
                                     MIT Laboratory for Computer Science
                                                               B. Thomas
                                                       Southwestern Bell
                                                               T. Ylonen
                                                                     SSH
                                                          September 1999

                        SPKI Certificate Theory

Status of this Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Abstract

   The SPKI Working Group has developed a standard form for digital
   certificates whose main purpose is authorization rather than
   authentication.  These structures bind either names or explicit
   authorizations to keys or other objects.  The binding to a key can be
   directly to an explicit key, or indirectly through the hash of the
   key or a name for it.  The name and authorization structures can be
   used separately or together.  We use S-expressions as the standard
   format for these certificates and define a canonical form for those
   S-expressions.  As part of this development, a mechanism for deriving
   authorization decisions from a mixture of certificate types was
   developed and is presented in this document.

   This document gives the theory behind SPKI certificates and ACLs
   without going into technical detail about those structures or their
   uses.

Ellison, et al.               Experimental                      [Page 1]
RFC 2693                SPKI Certificate Theory           September 1999

Table of Contents

   1. Overview of Contents.......................................3
   1.1 Glossary..................................................4
   2. Name Certification.........................................5
   2.1 First Definition of CERTIFICATE...........................6
   2.2 The X.500 Plan and X.509..................................6
   2.3 X.509, PEM and PGP........................................7
   2.4 Rethinking Global Names...................................7
   2.5 Inescapable Identifiers...................................9
   2.6 Local Names..............................................10
   2.6.1 Basic SDSI Names.......................................10
   2.6.2 Compound SDSI Names....................................10
   2.7 Sources of Global Identifiers............................11
   2.8 Fully Qualified SDSI Names...............................11
   2.9 Fully Qualified X.509 Names..............................12
   2.10 Group Names.............................................12
   3. Authorization.............................................12
   3.1 Attribute Certificates...................................13
   3.2 X.509v3 Extensions.......................................13
   3.3 SPKI Certificates........................................14
   3.4 ACL Entries..............................................15
   4. Delegation................................................15
   4.1 Depth of Delegation......................................15
   4.1.1 No control.............................................15
   4.1.2 Boolean control........................................16
   4.1.3 Integer control........................................16
   4.1.4 The choice: boolean....................................16
   4.2 May a Delegator Also Exercise the Permission?............17
   4.3 Delegation of Authorization vs. ACLs.....................17
   5. Validity Conditions.......................................18
   5.1 Anti-matter CRLs.........................................18
   5.2 Timed CRLs...............................................19
   5.3 Timed Revalidations......................................20
   5.4 Setting the Validity Interval............................20
   5.5 One-time Revalidations...................................20
   5.6 Short-lived Certificates.................................21
   5.7 Other possibilities......................................21
   5.7.1 Micali's Inexpensive On-line Results...................21

[include full document text]