SPKI Certificate Theory

The SPKI Working Group has developed a standard form for digital certificates whose main purpose is authorization rather than authentication. These structures bind either names or explicit authorizations to keys or other objects. The binding to a key can be directly to an explicit key, or indirectly through the hash of the key or a name for it. The name and authorization structures can be used separately or together. We use S-expressions as the standard format for these certificates and define a canonical form for those S-expressions. As part of this development, a mechanism for deriving authorization decisions from a mixture of certificate types was developed and is presented in this document.

[1]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[2]  Norman Hardy,et al.  KeyKOS architecture , 1985, OPSR.

[3]  Nathaniel S. Borenstein,et al.  Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types , 1996, RFC.

[4]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[5]  David Kemp The Public Key Login Protocol , 1997 .

[6]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[7]  Loren M. Kohnfelder,et al.  Towards a practical public-key cryptosystem. , 1978 .

[8]  Steve Kent,et al.  Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management , 1989, RFC.

[9]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[10]  Carl M. Ellison Cybercash Establishing Identity Without Certification Authorities , 1996 .

[11]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[12]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[13]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[14]  Carl M. Ellison,et al.  The nature of a useable PKI , 1999, Comput. Networks.

[15]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[16]  Martín Abadi,et al.  A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[17]  西 和人,et al.  MIME(Multipurpose Internet Mail Extensions)について , 1993 .

[18]  Theodore A. Linden Operating System Structures to Support Security and Reliable Software , 1976, CSUR.

[19]  Keith Moore MIME (Multipurpose Internet Mail Extensions) Part Three: Message Header Extensions for Non-ASCII Text , 1996, RFC.

[20]  Jean-Emile Elien,et al.  Certificate discovery using SPKI/SDSI 2.0 certificates , 1998 .

[21]  Charles R. Landau Security in a secure capability-based system , 1989, OPSR.

[22]  Nathaniel S. Borenstein,et al.  Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies , 1996, RFC.

[23]  Martín Abadi,et al.  On SDSI's linked local name spaces , 1997, Proceedings 10th Computer Security Foundations Workshop.

[24]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.