Re: Certificate authentication

[nisse%lysator.liu.se@localhost (Niels Möller)]

pgut001%cs.auckland.ac.nz@localhost (Peter Gutmann) writes:

> Speaking of SPKI, it's not just X.509 that has the issue with being
> underspecified, both SPKI and PGP have the same problem.  Instead of removing
> these portions entirely, how about adding a note to say that the identifiers
> for X.509/SPKI/PGP are reserved for possible future standardisation?

Makes sense to me.

As for spki, the only spki-ish I do yet is in the representation of
the "known-hosts" database, where I use acl:s of the form

(acl (entry (subject (public-key (rsa-pkcs1-sha1 (n |AMxUKL4vuu8WvsMpkc/
                                                     bt6ZcdJ7UJxCwaDVOEg
                                                     pd0ZMEhWZK2bEUwtH06
                                                     TimrUDbNa/wSxaFbdta
                                                     FRcCF1XrxkMAfi39Gfu
                                                     cPasFQEDbv2FABRwT06
                                                     gc3uMGCv4ElqkDi6I+6
                                                     zoWZNMbQEulEqnHyncz
                                                     HUVoHrmeedD+oEsxB37
                                                     9|)
                                                 (e "#"))))
            (tag (ssh-hostkey org.gnu.savannah))))

Note the reversed domain name, that is to make it possible to use
acls/certificates with (tag (ssh-hostkey (* prefix org.gnu.))) to
represent the capability of representing any machine under gnu.org.

/Niels