分享
 
 
 

RFC2692 - SPKI Requirements

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

Network Working Group C. Ellison

Request for Comments: 2692 Intel

Category: EXPerimental September 1999

SPKI Requirements

Status of this Memo

This memo defines an Experimental Protocol for the Internet

community. It does not specify an Internet standard of any kind.

Discussion and suggestions for improvement are requested.

Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1999). All Rights Reserved.

Abstract

The IETF Simple Public Key InfrastrUCture [SPKI] Working Group is

tasked with producing a certificate structure and operating procedure

to meet the needs of the Internet community for trust management in

as easy, simple and extensible a way as possible.

The SPKI Working Group first established a list of things one might

want to do with certificates (attached at the end of this document),

and then summarized that list of desires into requirements. This

document presents that summary of requirements.

Table of Contents

Charter of the SPKI working group................................2

Background.......................................................2

General Requirements.............................................3

Validity and CRLs................................................4

Implementation of Certificates...................................4

List of Certificate Uses.........................................5

Open Questions..................................................11

References......................................................12

Security Considerations.........................................12

Author's Address................................................13

Full Copyright Statement........................................14

Charter of the SPKI working group

Many Internet protocols and applications which use the Internet

employ public key technology for security purposes and require a

public key infrastructure to manage public keys.

The task of the working group will be to develop Internet standards

for an IETF sponsored public key certificate format, associated

signature and other formats, and key acquisition protocols. The key

certificate format and associated protocols are to be simple to

understand, implement, and use. For purposes of the working group,

the resulting formats and protocols are to be known as the Simple

Public Key Infrastructure, or SPKI.

The SPKI is intended to provide mechanisms to support security in a

wide range of Internet applications, including IPSEC protocols,

encrypted electronic mail and WWW documents, payment protocols, and

any other application which will require the use of public key

certificates and the ability to Access them. It is intended that the

Simple Public Key Infrastructure will support a range of trust

models.

Background

The term certificate traces back to the MIT bachelor's thesis of

Loren M. Kohnfelder [KOHN]. Kohnfelder, in turn, was responding to a

suggestion by Diffie and Hellman in their seminal paper [DH]. Diffie

and Hellman noted that with public key cryptography, one no longer

needs a secure channel over which to transmit secret keys between

communicants. Instead, they suggested, one can publish a modified

telephone book -- one with public keys in place of telephone numbers.

One could then look up his or her desired communication partner in

the Directory, find that person's public key and open a secure

channel to that person. Kohnfelder took that suggestion and noted

that an on-line service has the disadvantage of being a performance

bottleneck. To replace it, he proposed creation of digitally signed

directory entries which he called certificates. In the time since

1978, the term certificate has frequently been assumed to mean a

binding between name and key.

The SPKI team directly addressed the issue of <name,key> bindings and

realized that such certificates are of extremely limited use for

trust management. A keyholder's name is one attribute of the

keyholder, but as can be seen in the list of needs in this document,

a person's name is rarely of security interest. A user of a

certificate needs to know whether a given keyholder has been granted

some specific authorization.

General Requirements

We define the term KEYHOLDER of a public key to refer to the person

or other entity that controls the corresponding private key.

The main purpose of an SPKI certificate is to authorize some action,

give permission, grant a capability, etc. to or for a keyholder.

The keyholder is most directly identified by the public key itself,

although for convenience or other purposes some indirection (delayed

binding) may be employed. That indirection can be via a collision-

free hash of the public key or via a name, later to be resolved into

a key.

The definition of attributes or authorizations in a certificate is up

to the author of code which uses the certificate. The creation of

new authorizations should not require interaction with any other

person or organization but rather be under the total control of the

author of the code using the certificate.

Because SPKI certificates might carry information that the keyholder

might not want to publish, we assume that certificates will be

distributed directly by the keyholder to the verifier. If the

keyholder wishes to use a global repository, such as LDAP, the global

PGP key server or the DNS database, that is up to the keyholder and

not for the SPKI WG to specify.

Because SPKI certificates will carry information that, taken together

over all certificates, might constitute a dossier and therefore a

privacy violation, each SPKI certificate should carry the minimum

information necessary to get a job done. The SPKI certificate is

then to be like a single key rather than a key ring or a single

credit card rather than a whole wallet. The keyholder should be able

to release a minimum of information in order to prove his or her

permission to act.

It is necessary for at least some certificates to be anonymous.

Because one use of SPKI certificates is in secret balloting and

similar applications, an SPKI certificate must be able to assign an

attribute to a blinded signature key.

One attribute of a keyholder is a name. There are names the

keyholder prefers to be called and there are names by which the

keyholder is known to various other keyholders. An SPKI certificate

must be able to bind a key to such names. The SDSI work of Rivest

and Lampson has done an especially good job of defining and using

local name spaces, therefore if possible SPKI should support the SDSI

name construct. [Note: SPKI and SDSI have merged.]

Validity and CRLs

An SPKI certificate, like any other, should be able to carry a

validity period: dates within which it is valid. It may also be

necessary to have on-line refinement of validity. This is frequently

achieved via a Certificate Revocation List (CRL) in previous

certificate designs.

A minimal CRL contains a list of revoked certificates, identified

uniquely, a sequence number and a signature. Its method of

transmission is not specified. If it encounters some certificate

that it lists, then it annihilates that certificate. If it

encounters a previous CRL, as indicated by sequence number, then it

annihilates that previous CRL. Such a CRL leads to non-deterministic

program behavior. Therefore, we take as a requirement that if SPKI

uses CRLs, then the certificate that uses it must explicitly tell the

verifier where to find the CRL, the CRL must carry explicit validity

dates and the dates of a sequence of CRLs must not overlap. Under

this set of requirements, behavior of certificate validation is

deterministic (aside from the question of clock skew).

A CRL is a negative statement. It is the digital equivalent of the

little paper books of bad checks or bad credit cards that were

distributed to cashiers in the 1970's and before. These have been

replaced in the retail world by positive statements -- on-line

validation of a single check, ATM card or credit card.

SPKI should support both positive and negative on-line validations.

Any CRL or revalidation instrument must have its own lifetime. A

lifetime of 0 is not possible because of communication delays and

clock skews, although one can consider an instrument whose lifetime

is "one use" and which is delivered only as part of a

challenge/response protocol.

Implementation of Certificates

The authorization certificates that are envisioned for SPKI (and

needed to meet the demands of the list given at the end of this

document) should be generated by any keyholder empowered to grant or

delegate the authorization in question. The code to generate

certificates should be written by many different developers,

frequently persons acting alone, operating out of garages or dorm

rooms. This leads to a number of constraints on the structure and

encoding of certificates. In addition, SPKI certificates should be

usable in very constrained environments, such as smart cards or small

embedded systems. The code to process them and the memory to store

them should both be as small as possible.

An SPKI certificate should be as simple as possible. There should be

a bare minimum of fields necessary to get the job done and there

should be an absolute minimum of optional fields. In particular, the

structure should be specific enough that the creator of a certificate

is constrained by the structure definition, not by complaints (or

error messages) from the reader of a certificate.

An SPKI certificate should be described in as simple a method as

possible, relating directly to the kind of structures a C or PASCAL

programmer would normally write.

No library code should be required for the packing or parsing of SPKI

certificates. In particular, ASN.1 is not to be used.

A certificate should be signed exactly as it is transmitted. There

should be no reformatting called for in the process of checking a

certificate's signature (although one might canonicalize white space

during certificate input, for example, if the format is text).

For efficiency, if possible, an SPKI certificate should be encoded in

an LR(0) grammar. That is, neither packing nor parsing of the

structure should require a scan of the data. Data should be read

into the kind of structure a programmer would want to use without

touching the incoming bytes more than once.

For efficiency, if possible, an SPKI certificate should be packed and

parsed without any recursion.

List of Certificate Uses

The list below is a brainstorming list, accumulated on the SPKI

mailing list, of uses of such certificates.

- I need a certificate to give me permission to write electronic

checks.

- My bank would need a certificate, proving to others that it is

a bank capable of cashing electronic checks and permitted to

give permission to people to write electronic checks.

- My bank would issue a certificate signing the key of a master

bank certifier -- perhaps NACHA -- so that I could follow a

certificate chain from a key I know (my bank's) to the key of

any other bank in the US and, similarly, to any other bank in

the world.

- I might generate a certificate (a "reputation voucher") for a

friend to introduce him to another friend -- in which

certificate I could testify to my friend's political opinion

(e.g., libertarian cypherpunk) or physical characteristics or

anything else of interest.

- I might have a certificate giving my security clearance, signed

by a governmental issuing authority.

- I want a certificate for some software I have downloaded and am

considering running on my computer -- to make sure it hasn't

changed and that some reputable company or person stands behind

it.

- I need certificates to bind names to public keys:

- [traditional certificate] binding a key to a name, implying

"all the attributes of the real person having this name are

transferred to this key by this certificate". This requires

unique identification of a person (which is difficult in

non-digital space, as it is) and someone trustworthy binding

that unique name to the key in question. In this model, a

key starts out naked and acquires attributes, permissions

and authority from the person bound to it.

- [direct certificate] binding a name to a key, implying "I

(the person who is able to use the associated private key to

make this signature) declare that I go by the name of

XXXXXXX." The unique identification of the key is automatic

-- from the key itself or a cryptographic hash of the key.

The binding is done by the key itself -- in a self-signed

certificate. In this model, a key is loaded with

attributes, permissions and authority directly by other

certificates, not indirectly through some person's name, and

this certificate declares only a name or nickname by which

the key's owner likes to be addressed.

- [personal binding] binding a key to a nickname. This kind

of certificate is signed by me, singing someone else's key

and binding it to a nickname by which I know that person.

It is for my use only -- never given out -- and is a signed

certificate to prevent tampering with my own private

directory of keys. It says nothing about how I certified

the binding to my own satisfaction between the key and my

friend.

- I might be doing genealogy and be collecting what amounts to

3x5 cards with facts to be linked together. Some of these

links would be from one content to another reference [e.g.,

indexing and cross-referencing]. Others might be links to the

researcher who collected the fact. By rights, the fact should

be signed by that researcher. Viewing only the signature on

the fact and the link to the researcher, this electronic 3x5

card becomes a certificate.

- I want to sign a contract to buy a house. What kind of

certificate do I need?

- I have found someone on the net and she sounds really nice.

Things are leading up to cybersex. How do I make sure she's

not really some 80-year-old man in a nursing home?

- I have met someone on the net and would like a picture of her

and her height, weight and other measurements from a

trustworthy source.

- Can I have a digital marriage license?

- Can I have a digital divorce decree?

- ..a digital Voter Registration Card?

- There are a number of cards one carries in a typical wallet

which could become certificates attached to a public key:

- health insurance card

- prescription drug card

- driver's license (for permission to drive)

- driver's license (for permission to buy alcohol)

- supermarket discount card

- supermarket check-cashing card [I know -- anachronism]

- Blockbuster Video rental card

- ATM card

- Credit card

- membership card in the ACLU, NRA, Republican party, Operation

Rescue, NARAL, ACM, IEEE, ICAR....

- Red Cross blood donor card

- Starbuck's Coffee buy-10-get-1-free card

- DC Metro fare card

- Phone calling card

- Alumni Association card

- REI Membership card

- Car insurance card

- claim check for a suitcase

- claim check for a pawned radio

- authorization for followup visits to a doctor, after surgery

- Better Business Bureau [BBB] style reputation certificates

[testimonies from satisfied customers]

- BBB-style certificate that no complaints exist against a

business or doctor or dentist, etc.

- LDS Temple Recommend

- Stock certificate

- Stock option

- Car title

- deed to land

- proof of ownership of electronic equipment with an ID number

- time card certificate [activating a digital time clock]

- proof of degree earned [PhD, LLD, MD, ...]

- permission to write digitally signed prescriptions for drugs

- permission to spend up to $X of a company's money

- permission to issue nuclear launch codes

- I'm a sysadmin, I want to carry a certificate, signed by SAGE,

that says I'm good at the things sysadmins are good at.

- I'm that same sysadmin, I want an ephemeral certificate that

grants me root access to certain systems for the day, or the

week, or...

Certain applications *will* want some form of auditing, but the

audit identity should be in the domain of the particular

application... For instance an "is a system administrator of

this host" certificate would probably want to include an audit

identity, so you can figure out which of your multiple admins

screwed something up.

- I'm an amateur radio operator. I want a signed certificate

that says I'm allowed to engage in amateur radio, issued by the

DOC. [I currently have a paper version of one]. This would be

useful in enforcing access policies to the amateur spectrum;

and in tracking abuse of that same spectrum. Heck! extend

this concept to all licensed spectrum users.

- I'm the a purchasing agent for a large corporation. I want to

posses a certificate that tells our suppliers that I'm

authorized to make purchases up to $15,000. I don't want the

suppliers to know my name, lest their sales people bug me too

much. I don't want to have to share a single "Megacorp

Purchasing Department Certificate" with others doing the same

job [the private key would need to be shared--yuck!].

- "This signed-key should be considered equivalent to the

certifying-key until this certificate expires for the following

purposes ..."

[This is desirable when you wish to reduce the exposure of

long-term keys. One way to do this is to use smart cards,

but those typically have slow processors and are connected

through low-bandwidth links; however, if you only use the

smart card at "login" time to certify a short-term key pair,

you get high performance and low exposure of the long term

key.

I'll note here that this flies in the face of attempts to

prevent delegation of certain rights. Maybe we need a

"delegation-allowed" bit -- but there's nothing to stop

someone who wishes to delegate against the rules from also

loaning out their private key.].

- "I am the current legitimate owner of a particular chunk of

Internet address space."

[I'd like to see IPSEC eventually become usable, at least

for privacy, without need for prior arrangement between

sites, but I think there's a need for a "I own this

address"/"I own this address range" certificate in order for

IPSEC to coexist with existing ip-address-based firewalls.]

- "I am the current legitimate owner of a this DNS name or

suBTree."

- "I am the legitimate receiver of mail sent to this rfc822 email

address. [this might need to be signed by a key which itself

had been certified by the appropriate "DNS name owner"

certificate]."

[This is in case I know someone owns a particular e-mail

address but I don't know their key.]

- Encryption keys for E-mail and file encryption

- Authentication of people or other entities

- Digital signatures (unforgeability)

- Timestamping / notary services

- Host authentication

- Service authentication

Other requirements:

- Trust model must be a web (people want to choose whom they

trust). People must be able to choose whom they trust or

consider reliable roots (maybe with varying reliabilities).

- Some applications (e.g., notary services) require highly

trusted keys; generation complexity is not an issue here.

- Some applications (e.g., host authentication) require

extremely light (or no) bureaucracy. Even communication

with the central administrator may be a problem.

- Especially in lower-end applications (e.g. host

authentication) the people generating the keys (e.g.,

administrators) will change, and you will no longer want

them to be able to certify. On the other hand, you will

usually also not want all keys they have generated to

expire. This may imply a "certification right expiration"

certificate requirement, probably to be implemented together

with notary services.

- Keys will need to be cached locally to avoid long delays

fetching frequently used keys. Cf. current name servers.

The key infrastructure may in future get used almost as

often as the name server. The caching and performance

requirements are similar.

- Reliable distribution of key revocations and other

certificates (e.g., the ceasing of the right to make new

certificates). May involve goals like "will have spread

everywhere in 24 hours" or something like that. This

interacts with caching.

Open Questions

Given such certificates, there remain some questions, most to do with

proofs of the opposite of what a certificate is designed to do.

These do not have answers provided by certificate definition or

issuing alone.

- Someone digitally signs a threatening e-mail message with my

private key and sends it to president@whitehouse.gov. How do I

prove that I didn't compose and send the message? What kind of

certificate characteristic might help me in this?

This is an issue of (non-)repudiation and therefore a matter of

private key protection. Although this is of interest to the

user of certificates, certificate format, contents or issuing

machinery can not ensure the protection of a user's private key

or prove whether or not a private key has been stolen or

misused.

- Can certificates help do a title scan for purchase of a house?

Certificates might be employed to carry information in a

tamper-proof way, but building the database necessary to record

all house titles and all liens is a project not related to

certificate structure.

- Can a certificate be issued to guarantee that I am not already

married, so that I can then get a digital marriage license?

The absence of attributes can be determined only if all

relevant records are digitized and all parties have inescapable

IDs. The former is not likely to happen in our lifetimes and

the latter receives political resistance.

A certificate can communicate the 'positive' attribute "not

already married" or "not registered as a voter in any other

district". That assumes that some organization is capable of

determining that fact for a given keyholder. The method of

determining such a negative fact is not part of the certificate

definition.

- The assumption in most certificates is that the proper user will

protect his private key very well, to prevent anyone else from

accessing his funds. However, in some cases the certificate

itself might have monetary value [permission to prescribe drugs,

permission to buy alcohol, ...]. What is to prevent the holder of

such a certificate from loaning out his private key?

This is a potential flaw in any system providing authorization

and an interesting topic for study. What prevents a doctor or

dentist from selling prescriptions for controlled substances to

drug abusers?

References

[DH] Diffie and Hellman, "New Directions in Cryptography", IEEE

Transactions on Information Theory IT-22, 6 (Nov. 1976), 644-

654.

[KOHN] Loren Kohnfelder, "Towards a Practical Public-key

Cryptosystem", Bachelor's thesis, MIT, May, 1978.

Security Considerations

Security issues are discussed throughout this memo.

Author's Address

Carl M. Ellison

Intel Corporation

2111 NE 25th Ave M/S JF3-212

Hillsboro OR 97124-5961 USA

Phone: +1-503-264-2900

Fax: +1-503-264-6225

EMail: carl.m.ellison@intel.com

cme@alum.mit.edu

Web: http://www.pobox.com/~cme

Full Copyright Statement

Copyright (C) The Internet Society (1999). All Rights Reserved.

This document and translations of it may be copied and furnished to

others, and derivative works that comment on or otherwise explain it

or assist in its implementation may be prepared, copied, published

and distributed, in whole or in part, without restriction of any

kind, provided that the above copyright notice and this paragraph are

included on all such copies and derivative works. However, this

document itself may not be modified in any way, such as by removing

the copyright notice or references to the Internet Society or other

Internet organizations, except as needed for the purpose of

developing Internet standards in which case the procedures for

copyrights defined in the Internet Standards process must be

followed, or as required to translate it into languages other than

English.

The limited permissions granted above are perpetual and will not be

revoked by the Internet Society or its successors or assigns.

This document and the information contained herein is provided on an

"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING

TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING

BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION

HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

Funding for the RFCEditor function is currently provided by the

Internet Society.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有