On Wed, 2 Jun 1999 [EMAIL PROTECTED] wrote:
>
> We are investigating the use of public key certificates, either x509, SPKI
> or other, to establish trust among two `strangers` (parties without a prior
> long term relationship). We will appreciate any feedback, and are looking
> forward to serious parties interested in pilot deployments. Please see our
> site http://www.hrl.il.ibm.com/TrustEstablishment, and in particular the
> paper: Access Control Meets Public Key Infrastructure, Or: Assigning Roles
> to Strangers
>
> Best Regards,
> Amir Herzberg
> Manager, E-Business and Security Technologies
> IBM Research - Haifa Lab (Tel Aviv Office)
> http://www.hrl.il.ibm.com
> New e-mail: [EMAIL PROTECTED]
> New Lotus notes mail: amir herzberg/haifa/ibm@IBMIL
The function of the 'collector' seems to be dependent upon a secure DNS or
some way of authenticating the sites which are visited to collect the
missing certs. I have only made a quick pass through the document and I
may have missed something important. If the collector acts on URLs then
it is subject to spoofing and inherent weaknesses in the DNS.
The message above seems to indicate that different forms of certificates
may be used, the paper itself indicates X.50v3 only. I'm not keen on
X.509, for some of the same reasons that led to the development of SPKI,
but I don't want to light off another religious battle on BER encoding and
ASN.1 and etc. I'll send some comments on that for 66 Swiss francs.
In the example,
|<!---- Second rule : a hospital recommended by at least 2 hospitals, and
|there is no warning about it from any hospital --->
| <RULE>
| <INCLUSION ID="reco" TYPE="Recommendation" FROM="hospitals"
|REPEAT=2></INCLUSION>
| <EXCLUSION ID="warn" TYPE="Warning" FROM="hospitals"></EXCLUSION>
| <FUNCTION>
how does the 'exclusion' work without an exhaustive search of all hospital
issuers or collectors? Is there a central global repository of 'warnings'
in this example, like CRLs? I read the description of the 'exclusion'
tag, but it escapes me how that would work in a practical sense. Is it
the same thing as saying there are no certificates anywhere where issuer =
hospital that contain a warning about the subject hospital? Does it mean
that if there is a warning found in the local database or in certs we have
already collected, then the subject hospital is excluded? It would seem
in a policy like the one in the example, that an affirmative action would
be required on the part of the TE to go and see if there are any warnings,
anywhere, that relate to that hospital. Similar to a CRL?
Based on a first reading, you seem to have taken elements from some of the
better work being done and applied them in potentially interesting ways.
I'll read it over again in the daylight.
--
pjp
