SPKI Examples Carl M. Ellison
INTERNET-DRAFT CyberCash, Inc.
Expires: 26 May 1998
Bill Frantz
Electric Communities
Butler Lampson
Microsoft
Ron Rivest
MIT Laboratory for Computer Science
Brian M. Thomas
Southwestern Bell
Tatu Ylonen
SSH
21 November 1997
SPKI Examples
---- --------
<draft-ietf-spki-cert-examples-00.txt>
Status of This Document
This document is one of three, superseding the draft filed under the
name draft-ietf-spki-cert-structure-02.txt. This draft contains
examples of SPKI structures for various applications. The structure
definition is to be found in draft-ietf-spki-cert-structure-03.txt
and the theory behind SPKI certificates is to be found in draft-
ieft-spki-cert-theory-01.txt.
This document supersedes the draft filed under the name draft-ietf-
spki-cert-structure-01.txt and reflects changes in the structure to
simplify it. The draft ends with a list of open questions for group
discussion.
Distribution of this document is unlimited. Comments should be sent
to the SPKI (Simple Public Key Infrastructure) Working Group mailing
list <spki@c2.org> or to the authors.
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
Ellison, et al. [Page 1]
INTERNET-DRAFT SPKI Examples 21 November 1997
months. Internet-Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet-
Drafts as reference material or to cite them other than as a
``working draft'' or ``work in progress.''
To learn the current status of any Internet-Draft, please check the
1id-abstracts.txt listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (East USA), ftp.isi.edu (West USA),
nic.nordu.net (North Europe), ftp.nis.garr.it (South Europe),
munnari.oz.au (Pacific Rim), or ftp.is.co.za (Africa).
Ellison, et al. [Page 2]
INTERNET-DRAFT SPKI Examples 21 November 1997
Abstract
With the proliferation of public key cryptography on the Internet,
there arises a need for certification of keys. In the literature,
the word ''certificate'' has generally been taken to mean ''identity
certificate'': a signed statement which binds a key to the name of an
individual and has the intended meaning of delegating authority from
that named individual to the public key. (See, for example, RFC
1422.) This process is designed to copy a relationship between two
entities from the physical world into the digital world.
The Internet itself changed the world from the one in which identity
certificates made sense. We now deal with people we have never met
and never will, which makes their names meaningless to us, but we
still need to verify whether they are authorized to perform some
action, achieve some access, sign some document, etc.
SPKI certificates were designed to perform that function by directly
specifying the <permission,key> binding which is of interest in the
digital world. As merged with SDSI, the current certificate format
also allows someone to bind a key to a name in their own private name
space. The certificate structure presented here allows permissions
to be delegated to SDSI-named individuals or to raw keys.
Acknowledgments
Several independent contributions, published elsewhere on the net or
in print, worked in synergy with our effort. Especially important to
our work were: [SDSI], [BFL] and [RFC2065]. The inspiration we
received from the notion of CAPABILITY in its various forms (SDS-940,
Kerberos, DEC DSSA, [SRC-070], KeyKOS [HARDY]) can not be over-rated.
Significant contributions to this effort by the members of the SPKI
mailing list and especially the following persons (listed in
alphabetic order) are gratefully acknowledged: Steve Bellovin, Mark
Feldman, John Gilmore, Phill Hallam-Baker, Bob Jueneman, David Kemp,
Angelos D. Keromytis, Paul Lambert, Jon Lasser, Jeff Parrett, Bill
Sommerfeld, Simon Spero.
Ellison, et al. [Page 3]
INTERNET-DRAFT SPKI Examples 21 November 1997
1. Examples
The <tag> fields listed here are not meant to be an exhaustive list
of all possible <tag>s. Such is not possible. The final arbiter of
what needs to be an <tag> and what parameters a particular <tag>
needs is the designer of the code which verifies a certificate, e.g.,
to grant access. Listed here are <tag> fields we suspect might be
useful and we present these here as a guide to the developer's
imagination.
1.1 ftp tag
(tag (ftp cybercash.com cme ))
This <tag> indicates that the Subject has permission to do FTP into
host cybercash.com as user cme.
1.2 http tag
(tag (http http://acme.com/company-private/personnel/ ))
This <tag> gives the Subject permission to access web pages which
start with the given URI.
1.3 telnet tag
(tag (telnet clark.net cme ))
This <tag> gives the Subject permission to telnet into host clark.net
as user cme.
1.4 Public Key Protected File System tags
(tag (pkpfs //<host-name>/<path> <access> ))
(tag (pkpfs (* prefix //<host-name>/<path>/) <access> ))
refers to a hypothetical distributed file system whose access is
controlled by public key challenge/response. The first form gives
access to a single file or a small set of files (by use of "*" in the
file name) while the second form gives access to an entire sub-
directory.
Ellison, et al. [Page 4]
INTERNET-DRAFT SPKI Examples 21 November 1997
<access> is a (* set ...) whose elements are chosen from: (read)
(write) (append) (delete) (execute)
1.5 Authority to spend money
(tag (spend <bank> <account> (* range le <amount> )))
indicates that the subject has authority to authorize spending up to
<amount> per electronic check from <account> at <bank>.
1.6 Process Server cert
A process server certificate, mentioned in Section 3.5.5.2, might
have the form:
(cert
(issuer (hash md5 |u2kl73MiObh5o1zkGmHdbA==|))
(subject (keyholder (hash md5 |kuXyqx8jYWdZ/j7Vffr+yg==| key2-pub)))
(tag (tracking-fee "150" USD))
(not-after "2003-01-01_00:00:00")
)
{KDQ6Y2VydCg2Omlzc3Vlcig0Omhhc2gzOm1kNTE2OrtpJe9zIjm4eaNc5Bp
h3WwpKSg3OnN1YmplY3QoOTprZXlob2xkZXIoNDpoYXNoMzptZDUxNjqS5fK
rHyNhZ1n+PtV9+v7KODprZXkyLXB1YikpKSgzOnRhZygxMjp0cmFja2luZy1
mZWUzOjE1MDM6VVNEKSkoOTpub3QtYWZ0ZXIxOToyMDAzLTAxLTAxXzAwOjA
wOjAwKSk=}
noting in its tag field that it will serve papers on the indicated
Keyholder for a tracking fee of $150 until the beginning of 2003.
1.7 PICS-like ratings cert
(cert
(issuer (hash md5 |Ut9m14byPzdbCNZWdDjNQg==|))
(subject
(object-hash
(hash md5 |vN6ySKWE9K6T6cP9U5wntA==|
http://www.clark.net/pub/cme/home.html)))
(tag (ratings (sex "0") (violence "0") (crypto "6")))
)
Ellison, et al. [Page 5]
INTERNET-DRAFT SPKI Examples 21 November 1997
{KDQ6Y2VydCg2Omlzc3Vlcig0Omhhc2gzOm1kNTE2OlLfZteG8j83WwjWVnQ
4zUIpKSg3OnN1YmplY3QoMTE6b2JqZWN0LWhhc2goNDpoYXNoMzptZDUxNjq
83rJIpYT0rpPpw/1TnCe0Mzg6aHR0cDovL3d3dy5jbGFyay5uZXQvcHViL2N
tZS9ob21lLmh0bWwpKSkoMzp0YWcoNzpyYXRpbmdzKDM6c2V4MTowKSg4OnZ
pb2xlbmNlMTowKSg2OmNyeXB0bzE6NikpKSk=}
1.8 Virus checking cert
(cert
(issuer (hash md5 |Ut9m14byPzdbCNZWdDjNQg==|))
(subject
(object-hash
(hash md5 |szKSlSK+SNzIsHH3wjAsTQ==| runemacs.exe)))
(tag virus-free)
)
{KDQ6Y2VydCg2Omlzc3Vlcig0Omhhc2gzOm1kNTE2OlLfZteG8j83WwjWVnQ
4zUIpKSg3OnN1YmplY3QoMTE6b2JqZWN0LWhhc2goNDpoYXNoMzptZDUxNjq
zMpKVIr5I3MiwcffCMCxNMTI6cnVuZW1hY3MuZXhlKSkpKDM6dGFnMTA6dml
ydXMtZnJlZSkp}
1.9 Full sequence, with donation cert
For one full example of a real certificate, the following sequence
presents the public key used, calls for the verifier to hash it (and
store it away, to be referred to later by its hash), gives a
certificate body and then a signature (which by side-effect calls for
the previous object to be stored and hashed by the signature
algorithm's hash function). The example used is a temporary donation
cert.
(sequence
(public-key rsa-pkcs1-md5
(e #03#)
(n
|AKMbo+VBqLu+90l2UuuGquzxLIXpqIypkSkrfEVprA0K2Vfm5ufmNZG3
0yWqdnXlxdGuyyBglj+FloXTrqHWSQQJfvTv5EMBz+icJ2GMbjtP1zCY8
krmchh5v/O3BntEwaq1hkMtmP+ZeFjI5yQ/YC2vVc5K1PTy+GOSP+xvYK
C1|)
)
(do hash md5)
(cert
Ellison, et al. [Page 6]
INTERNET-DRAFT SPKI Examples 21 November 1997
(issuer (hash md5 |Z4a6hysK/0qN0L5SFkcJFQ==|))
(subject
(keyholder (hash md5 |Z4a6hysK/0qN0L5SFkcJFQ==|)))
(tag
(* set
(name "Carl M. Ellison")
(street "207 Grindall St.")
(city "Baltimore MD 21230-4103")))
(not-after "1997-08-15_00:00:00"))
(signature
(hash md5 |PC4M1LNpkMHtgacc73ch5A==|)
(hash md5 |Z4a6hysK/0qN0L5SFkcJFQ==| cme.key)
|PQkhssqNW191aVwNR9DflDQemWf/E2maSdIk/5GulzRB7cjagEn9FqI9J
vGOTkqT5miJmsFx9pY5nXQxp+tJZdwLYeSEA3iAzjcwBY1qG+DQqpWu2AC
JqSnnKmo6kh8KbbySNtCbpguNJs2WM/eRBdkph/AUjTkqe0Xnv/mKEXA=|
)
)
with canonical form encoded in base 64:
{KDg6c2VxdWVuY2UoMTA6cHVibGljLWtleTEzOnJzYS1wa2NzMS1tZDUoMTp
lMToDKSgxOm4xMjk6AKMbo+VBqLu+90l2UuuGquzxLIXpqIypkSkrfEVprA0
K2Vfm5ufmNZG30yWqdnXlxdGuyyBglj+FloXTrqHWSQQJfvTv5EMBz+icJ2G
MbjtP1zCY8krmchh5v/O3BntEwaq1hkMtmP+ZeFjI5yQ/YC2vVc5K1PTy+GO
SP+xvYKC1KSkoMjpkbzQ6aGFzaDM6bWQ1KSg0OmNlcnQoNjppc3N1ZXIoNDp
oYXNoMzptZDUxNjpnhrqHKwr/So3QvlIWRwkVKSkoNzpzdWJqZWN0KDk6a2V
5aG9sZGVyKDQ6aGFzaDM6bWQ1MTY6Z4a6hysK/0qN0L5SFkcJFSkpKSgzOnR
hZygxOiozOnNldCg0Om5hbWUxNTpDYXJsIE0uIEVsbGlzb24pKDY6c3RyZWV
0MTY6MjA3IEdyaW5kYWxsIFN0LikoNDpjaXR5MjM6QmFsdGltb3JlIE1EIDI
xMjMwLTQxMDMpKSkoOTpub3QtYWZ0ZXIxOToxOTk3LTA4LTE1XzAwOjAwOjA
wKSkoOTpzaWduYXR1cmUoNDpoYXNoMzptZDUxNjo8LgzUs2mQwe2BpxzvdyH
kKSg0Omhhc2gzOm1kNTE2OmeGuocrCv9KjdC+UhZHCRU3OmNtZS5rZXkpMTI
4Oj0JIbLKjVtfdWlcDUfQ35Q0Hpln/xNpmknSJP+Rrpc0Qe3I2oBJ/RaiPSb
xjk5Kk+ZoiZrBcfaWOZ10MafrSWXcC2HkhAN4gM43MAWNahvg0KqVrtgAiak
p5ypqOpIfCm28kjbQm6YLjSbNljP3kQXZKYfwFI05KntF57/5ihFwKSk=}
Ellison, et al. [Page 7]
INTERNET-DRAFT SPKI Examples 21 November 1997
Authors' Addresses
Carl M. Ellison
CyberCash, Inc.
207 Grindall Street
Baltimore MD 21230-4103 USA
Telephone: +1 410-727-4288
+1 410-727-4293(FAX)
+1 703-620-4200(main office, Reston, Virginia, USA)
EMail: cme@cybercash.com
cme@acm.org
Web: http://www.clark.net/pub/cme
Bill Frantz
Electric Communities
10101 De Anza Blvd.
Cupertino CA 95014
Telephone: +1 408-342-9576
Email: frantz@netcom.com
Butler Lampson
Microsoft
180 Lake View Ave
Cambridge MA 02138
Telephone: +1 617-547-9580 (voice + FAX)
EMail: blampson@microsoft.com
Ron Rivest
Room 324, MIT Laboratory for Computer Science
545 Technology Square
Cambridge MA 02139
Telephone: +1-617-253-5880
+1-617-258-9738(FAX)
Email: rivest@theory.lcs.mit.edu
Web: http://theory.lcs.mit.edu/~rivest
Brian Thomas
Southwestern Bell
One Bell Center, Room 23Q1
St. Louis MO 63101 USA
Telephone: +1 314-235-3141
Ellison, et al. [Page 8]
INTERNET-DRAFT SPKI Examples 21 November 1997
+1 314-331-2755(FAX)
EMail: bt0008@entropy.sbc.com
Tatu Ylonen
SSH Communications Security Ltd.
Tekniikantie 12
FIN-02150 ESPOO
Finland
E-mail: ylo@ssh.fi
Expiration and File Name
This draft expires 26 May 1998.
Its file name is draft-ietf-spki-cert-examples-00.txt
Ellison, et al. [Page 9]