Databases Reference
In-Depth Information
key
K
Bob
. (The “1” just indicates that the certificate is valid.) Given such a
binding, a reference to the SDSI name “
K
Alice
bob” can be resolved to the
key
K
Bob
, which Bob can prove he controls when he needs to prove that he
is the referenced principal.
Whereas a
local name
is a key followed by an identifier, an
extended name
is a key followed by two or more identifiers. The meaning of these are the result
of multiple bindings of local names. For instance, if Bob were to issue the cer-
tificate (
K
Bob
, friend,
K
Carol
, 1), then the extended name “
K
Alice
bob friend”
could be resolved to
K
Carol
. This brings up another important point about
SDSI names; they can refer to more than one principal. For instance, Bob
could also issue (
K
Bob
, friend,
K
Dave
friend, 1) with the effect that “
K
Alice
bob friend” would refer not only to Carol, but to all of Dave's friends as well.
Thus, SDSI names (both local and extended) can denote groups of keys and,
equivalently, properties of key owners.
In general, SDSI
name certificates
are 4-tuples of the form (
K
,
A
,
S
,
V
),
in which
K
is the key used to issue the certificate, “
KA
” is the local name
being defined,
S
is either a key, a local name, or an extended name, and
V
is
a certificate validity bit.
A key point about SDSI's use of name spaces is that names that start
with different keys are different names, so there is no danger of controllers of
different public keys accidentally trying to bind the same name in conflicting
ways. In other words, global uniqueness of names can be achieved without
necessitating coordination among naming authorities.
While SDSI contributed to SPKI/SDSI name certificates that are used to
bind names to public keys, SPKI contributed
authorization certificates
. These
are 5-tuples of the form (
K
,
A
,
D
,
T
,
V
)inwhich
K
is the key issuing the cer-
tificate,
A
is the subject of the certificate,
D
is a delegation bit which indicates
whether the authorization being conveyed to
A
can be further delegated by
A
,
T
is a tag that specifies the authorization being granted, and
V
is a certificate
validity bit. While in the original design of SPKI,
A
was required to be a key,
in SPKI/SDSI,
A
can also be a SDSI name. For example, a certificate such
as (
K
Alice
,
K
Dave
friends, 1, downloadPhotos, 1) might indicate that Alice
allows Dave's friends to download photos and to delegate the permission to
others. Notice that as principals are added to or removed from the group of
Dave's friends, they automatically gain or lose this permission.
3.3 QCM and SD3
QCM [25], short for “Query Certificate Manager,” was designed at the Uni-
versity of Pennsylvania as part of the SwitchWare project on active networks.
It was designed specifically to support secure maintenance of distributed data
sets. For example, QCM can be used to support decentralized administration
of distributed repositories housing public key certificates that map names to
public keys. In the sense of access control, QCM provides security support for
the query and retrieval of ACLs. Although QCM is not designed to be a trust
