diff options
Diffstat (limited to 'doc/rfc/rfc2693.txt')
-rw-r--r-- | doc/rfc/rfc2693.txt | 2411 |
1 files changed, 2411 insertions, 0 deletions
diff --git a/doc/rfc/rfc2693.txt b/doc/rfc/rfc2693.txt new file mode 100644 index 0000000..a6e72f3 --- /dev/null +++ b/doc/rfc/rfc2693.txt @@ -0,0 +1,2411 @@ + + + + + + +Network Working Group C. Ellison +Request for Comments: 2693 Intel +Category: Experimental B. Frantz + Electric Communities + B. Lampson + Microsoft + R. Rivest + MIT Laboratory for Computer Science + B. Thomas + Southwestern Bell + T. Ylonen + SSH + September 1999 + + + SPKI Certificate Theory + +Status of this Memo + + This memo defines an Experimental Protocol for the Internet + community. It does not specify an Internet standard of any kind. + Discussion and suggestions for improvement are requested. + Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (1999). All Rights Reserved. + +Abstract + + The SPKI Working Group has developed a standard form for digital + certificates whose main purpose is authorization rather than + authentication. These structures bind either names or explicit + authorizations to keys or other objects. The binding to a key can be + directly to an explicit key, or indirectly through the hash of the + key or a name for it. The name and authorization structures can be + used separately or together. We use S-expressions as the standard + format for these certificates and define a canonical form for those + S-expressions. As part of this development, a mechanism for deriving + authorization decisions from a mixture of certificate types was + developed and is presented in this document. + + This document gives the theory behind SPKI certificates and ACLs + without going into technical detail about those structures or their + uses. + + + + + + +Ellison, et al. Experimental [Page 1] + +RFC 2693 SPKI Certificate Theory September 1999 + + +Table of Contents + + 1. Overview of Contents.......................................3 + 1.1 Glossary..................................................4 + 2. Name Certification.........................................5 + 2.1 First Definition of CERTIFICATE...........................6 + 2.2 The X.500 Plan and X.509..................................6 + 2.3 X.509, PEM and PGP........................................7 + 2.4 Rethinking Global Names...................................7 + 2.5 Inescapable Identifiers...................................9 + 2.6 Local Names..............................................10 + 2.6.1 Basic SDSI Names.......................................10 + 2.6.2 Compound SDSI Names....................................10 + 2.7 Sources of Global Identifiers............................11 + 2.8 Fully Qualified SDSI Names...............................11 + 2.9 Fully Qualified X.509 Names..............................12 + 2.10 Group Names.............................................12 + 3. Authorization.............................................12 + 3.1 Attribute Certificates...................................13 + 3.2 X.509v3 Extensions.......................................13 + 3.3 SPKI Certificates........................................14 + 3.4 ACL Entries..............................................15 + 4. Delegation................................................15 + 4.1 Depth of Delegation......................................15 + 4.1.1 No control.............................................15 + 4.1.2 Boolean control........................................16 + 4.1.3 Integer control........................................16 + 4.1.4 The choice: boolean....................................16 + 4.2 May a Delegator Also Exercise the Permission?............17 + 4.3 Delegation of Authorization vs. ACLs.....................17 + 5. Validity Conditions.......................................18 + 5.1 Anti-matter CRLs.........................................18 + 5.2 Timed CRLs...............................................19 + 5.3 Timed Revalidations......................................20 + 5.4 Setting the Validity Interval............................20 + 5.5 One-time Revalidations...................................20 + 5.6 Short-lived Certificates.................................21 + 5.7 Other possibilities......................................21 + 5.7.1 Micali's Inexpensive On-line Results...................21 + 5.7.2 Rivest's Reversal of the CRL Logic.....................21 + 6. Tuple Reduction...........................................22 + 6.1 5-tuple Defined..........................................23 + 6.2 4-tuple Defined..........................................24 + 6.3 5-tuple Reduction Rules..................................24 + 6.3.1 AIntersect.............................................25 + 6.3.2 VIntersect.............................................27 + 6.3.3 Threshold Subjects.....................................27 + 6.3.4 Certificate Path Discovery.............................28 + + + +Ellison, et al. Experimental [Page 2] + +RFC 2693 SPKI Certificate Theory September 1999 + + + 6.4 4-tuple Reduction........................................28 + 6.4.1 4-tuple Threshold Subject Reduction....................29 + 6.4.2 4-tuple Validity Intersection..........................29 + 6.5 Certificate Translation..................................29 + 6.5.1 X.509v1................................................29 + 6.5.2 PGP....................................................30 + 6.5.3 X.509v3................................................30 + 6.5.4 X9.57..................................................30 + 6.5.5 SDSI 1.0...............................................30 + 6.5.6 SPKI...................................................31 + 6.5.7 SSL....................................................31 + 6.6 Certificate Result Certificates..........................32 + 7. Key Management............................................33 + 7.1 Through Inescapable Names................................33 + 7.2 Through a Naming Authority...............................33 + 7.3 Through <name,key> Certificates..........................34 + 7.4 Increasing Key Lifetimes.................................34 + 7.5 One Root Per Individual..................................35 + 7.6 Key Revocation Service...................................36 + 7.7 Threshold ACL Subjects...................................36 + 8. Security Considerations...................................37 + References...................................................38 + Acknowledgments..............................................40 + Authors' Addresses...........................................41 + Full Copyright Statement.....................................43 + +1. Overview of Contents + + This document contains the following sections: + + Section 2: history of name certification, from 1976 on. + + Section 3: discussion of authorization, rather than authentication, + as the desired purpose of a certificate. + + Section 4: discussion of delegation. + + Section 5: discussion of validity conditions: date ranges, CRLs, re- + validations and one-time on-line validity tests. + + Section 6: definition of 5-tuples and their reduction. + + Section 7: discussion of key management. + + Section 8: security considerations. + + + + + + +Ellison, et al. Experimental [Page 3] + +RFC 2693 SPKI Certificate Theory September 1999 + + + The References section lists all documents referred to in the text as + well as readings which might be of interest to anyone reading on this + topic. + + The Acknowledgements section, including a list of contributors + primarily from the start of the working group. [The archive of + working group mail is a more accurate source of contributor + information.] + + The Authors' Addresses section gives the addresses, telephone numbers + and e-mail addresses of the authors. + +1.1 Glossary + + We use some terms in the body of this document in ways that could be + specific to SPKI: + + ACL: an Access Control List: a list of entries that anchors a + certificate chain. Sometimes called a "list of root keys", the ACL + is the source of empowerment for certificates. That is, a + certificate communicates power from its issuer to its subject, but + the ACL is the source of that power (since it theoretically has the + owner of the resource it controls as its implicit issuer). An ACL + entry has potentially the same content as a certificate body, but has + no Issuer (and is not signed). There is most likely one ACL for each + resource owner, if not for each controlled resource. + + CERTIFICATE: a signed instrument that empowers the Subject. It + contains at least an Issuer and a Subject. It can contain validity + conditions, authorization and delegation information. Certificates + come in three categories: ID (mapping <name,key>), Attribute (mapping + <authorization,name>), and Authorization (mapping + <authorization,key>). An SPKI authorization or attribute certificate + can pass along all the empowerment it has received from the Issuer or + it can pass along only a portion of that empowerment. + + ISSUER: the signer of a certificate and the source of empowerment + that the certificate is communicating to the Subject. + + KEYHOLDER: the person or other entity that owns and controls a given + private key. This entity is said to be the keyholder of the keypair + or just the public key, but control of the private key is assumed in + all cases. + + PRINCIPAL: a cryptographic key, capable of generating a digital + signature. We deal with public-key signatures in this document but + any digital signature method should apply. + + + + +Ellison, et al. Experimental [Page 4] + +RFC 2693 SPKI Certificate Theory September 1999 + + + SPEAKING: A Principal is said to "speak" by means of a digital + signature. The statement made is the signed object (often a + certificate). The Principal is said to "speak for" the Keyholder. + + SUBJECT: the thing empowered by a certificate or ACL entry. This can + be in the form of a key, a name (with the understanding that the name + is mapped by certificate to some key or other object), a hash of some + object, or a set of keys arranged in a threshold function. + + S-EXPRESSION: the data format chosen for SPKI/SDSI. This is a LISP- + like parenthesized expression with the limitations that empty lists + are not allowed and the first element in any S-expression must be a + string, called the "type" of the expression. + + THRESHOLD SUBJECT: a Subject for an ACL entry or certificate that + specifies K of N other Subjects. Conceptually, the power being + transmitted to the Subject by the ACL entry or certificate is + transmitted in (1/K) amount to each listed subordinate Subject. K of + those subordinate Subjects must agree (by delegating their shares + along to the same object or key) for that power to be passed along. + This mechanism introduces fault tolerance and is especially useful in + an ACL entry, providing fault tolerance for "root keys". + +2. Name Certification + + Certificates were originally viewed as having one function: binding + names to keys or keys to names. This thought can be traced back to + the paper by Diffie and Hellman introducing public key cryptography + in 1976. Prior to that time, key management was risky, involved and + costly, sometimes employing special couriers with briefcases + handcuffed to their wrists. + + Diffie and Hellman thought they had radically solved this problem. + "Given a system of this kind, the problem of key distribution is + vastly simplified. Each user generates a pair of inverse + transformations, E and D, at his terminal. The deciphering + transformation, D, must be kept secret but need never be communicated + on any channel. The enciphering key, E, can be made public by + placing it in a public directory along with the user's name and + address. Anyone can then encrypt messages and send them to the user, + but no one else can decipher messages intended for him." [DH] + + This modified telephone book, fully public, took the place of the + trusted courier. This directory could be put on-line and therefore + be available on demand, worldwide. In considering that prospect, + Loren Kohnfelder, in his 1978 bachelor's thesis in electrical + engineering from MIT [KOHNFELDER], noted: "Public-key communication + works best when the encryption functions can reliably be shared among + + + +Ellison, et al. Experimental [Page 5] + +RFC 2693 SPKI Certificate Theory September 1999 + + + the communicants (by direct contact if possible). Yet when such a + reliable exchange of functions is impossible the next best thing is + to trust a third party. Diffie and Hellman introduce a central + authority known as the Public File." + +2.1 First Definition of CERTIFICATE + + Kohnfelder then noted, "Each individual has a name in the system by + which he is referenced in the Public File. Once two communicants + have gotten each other's keys from the Public File they can securely + communicate. The Public File digitally signs all of its + transmissions so that enemy impersonation of the Public File is + precluded." In an effort to prevent performance problems, Kohnfelder + invented a new construct: a digitally signed data record containing a + name and a public key. He called this new construct a CERTIFICATE. + Because it was digitally signed, such a certificate could be held by + non-trusted parties and passed around from person to person, + resolving the performance problems involved in a central directory. + +2.2 The X.500 Plan and X.509 + + Ten years after Kohnfelder's thesis, the ISO X.509 recommendation was + published as part of X.500. X.500 was to be a global, distributed + database of named entities: people, computers, printers, etc. In + other words, it was to be a global, on-line telephone book. The + organizations owning some portion of the name space would maintain + that portion and possibly even provide the computers on which it was + stored. X.509 certificates were defined to bind public keys to X.500 + path names (Distinguished Names) with the intention of noting which + keyholder had permission to modify which X.500 directory nodes. In + fact, the X.509 data record was originally designed to hold a + password instead of a public key as the record-access authentication + mechanism. + + The original X.500 plan is unlikely ever to come to fruition. + Collections of directory entries (such as employee lists, customer + lists, contact lists, etc.) are considered valuable or even + confidential by those owning the lists and are not likely to be + released to the world in the form of an X.500 directory sub-tree. + For an extreme example, imagine the CIA adding its directory of + agents to a world-wide X.500 pool. + + The X.500 idea of a distinguished name (a single, globally unique + name that everyone could use when referring to an entity) is also not + likely to occur. That idea requires a single, global naming + discipline and there are too many entities already in the business of + defining names not under a single discipline. Legacy therefore + militates against such an idea. + + + +Ellison, et al. Experimental [Page 6] + +RFC 2693 SPKI Certificate Theory September 1999 + + +2.3 X.509, PEM and PGP + + The Privacy Enhanced Mail [PEM] effort of the Internet Engineering + Task Force [RFC1114] adopted X.509 certificates, but with a different + interpretation. Where X.509 was originally intended to mean "the + keyholder may modify this portion of the X.500 database", PEM took + the certificate to mean "the key speaks for the named person". What + had been an access control instrument was now an identity instrument, + along the lines envisioned by Diffie, Hellman and Kohnfelder. + + The insistence on X.509 certificates with a single global root + delayed PEM's adoption past its window of viability. RIPEM, by Mark + Riordan of MSU, was a version of PEM without X.509 certificates. It + was distributed and used by a small community, but fell into disuse. + MOSS (a MIME-enhanced version of PEM, produced by TIS (www.tis.com)) + made certificate use optional, but received little distribution. + + At about the same time, in 1991, Phil Zimmermann's PGP was introduced + with a different certificate model. Instead of waiting for a single + global root and the hierarchy of Certificate Authorities descending + from that root, PGP allowed multiple, (hopefully) independent but not + specially trusted individuals to sign a <name,key> association, + attesting to its validity. The theory was that with enough such + signatures, that association could be trusted because not all of + these signer would be corrupt. This was known as the "web of trust" + model. It differed from X.509 in the method of assuring trust in the + <name,key> binding, but it still intended to bind a globally unique + name to a key. With PEM and PGP, the intention was for a keyholder + to be known to anyone in the world by this certified global name. + +2.4 Rethinking Global Names + + The assumption that the job of a certificate was to bind a name to a + key made sense when it was first published. In the 1970's, people + operated in relatively small communities. Relationships formed face + to face. Once you knew who someone was, you often knew enough to + decide how to behave with that person. As a result, people have + reduced this requirement to the simply stated: "know who you're + dealing with". + + Names, in turn, are what we humans use as identifiers of persons. We + learn this practice as infants. In the family environment names work + as identifiers, even today. What we learn as infants is especially + difficult to re-learn later in life. Therefore, it is natural for + people to translate the need to know who the keyholder is into a need + to know the keyholder's name. + + + + + +Ellison, et al. Experimental [Page 7] + +RFC 2693 SPKI Certificate Theory September 1999 + + + Computer applications need to make decisions about keyholders. These + decisions are almost never made strictly on the basis of a + keyholder's name. There is some other fact about the keyholder of + interest to the application (or to the human being running the + application). If a name functions at all for security purposes, it + is as an index into some database (or human memory) of that other + information. To serve in this role, the name must be unique, in + order to serve as an index, and there must be some information to be + indexed. + + The names we use to identify people are usually unique, within our + local domain, but that is not true on a global scale. It is + extremely unlikely that the name by which we know someone, a given + name, would function as a unique identifier on the Internet. Given + names continue to serve the social function of making the named + person feel recognized when addressed by name but they are inadequate + as the identifiers envisioned by Diffie, Hellman and Kohnfelder. + + In the 1970's and even through the early 1990's, relationships formed + in person and one could assume having met the keyholder and therefore + having acquired knowledge about that person. If a name could be + found that was an adequate identifier of that keyholder, then one + might use that name to index into memories about the keyholder and + then be able to make the relevant decision. + + In the late 1990's, this is no longer true. With the explosion of + the Internet, it is likely that one will encounter keyholders who are + complete strangers in the physical world and will remain so. Contact + will be made digitally and will remain digital for the duration of + the relationship. Therefore, on first encounter there is no body of + knowledge to be indexed by any identifier. + + One might consider building a global database of facts about all + persons in the world and making that database available (perhaps for + a fee). The name that indexes that database might also serve as a + globally unique ID for the person referenced. The database entry + under that name could contain all the information needed to allow + someone to make a security decision. Since there are multiple + decision-makers, each interested in specific information, the + database would need to contain the union of multiple sets of + information. However, that solution would constitute a massive + privacy violation and would probably be rejected as politically + impossible. + + A globally unique ID might even fail when dealing with people we do + know. Few of us know the full given names of people with whom we + deal. A globally unique name for a person would be larger than the + full given name (and probably contain it, out of deference to a + + + +Ellison, et al. Experimental [Page 8] + +RFC 2693 SPKI Certificate Theory September 1999 + + + person's fondness for his or her own name). It would therefore not + be a name by which we know the person, barring a radical change in + human behavior. + + A globally unique ID that contains a person's given name poses a + special danger. If a human being is part of the process (e.g., + scanning a database of global IDs in order to find the ID of a + specific person for the purpose of issuing an attribute certificate), + then it is likely that the human operator would pay attention to the + familiar portion of the ID (the common name) and pay less attention + to the rest. Since the common name is not an adequate ID, this can + lead to mistakes. Where there can be mistakes, there is an avenue + for attack. + + Where globally unique identifiers need to be used, perhaps the best + ID is one that is uniform in appearance (such as a long number or + random looking text string) so that it has no recognizable sub-field. + It should also be large enough (from a sparse enough name space) that + typographical errors would not yield another valid identifier. + +2.5 Inescapable Identifiers + + Some people speak of global IDs as if they were inescapable + identifiers, able to prevent someone from doing evil under one name, + changing his name and starting over again. To make that scenario + come true, one would have to have assignment of such identifiers + (probably by governments, at birth) and some mechanism so that it is + always possible to get from any flesh and blood person back to his or + her identifier. Given that latter mechanism, any Certificate + Authority desiring to issue a certificate to a given individual would + presumably choose the same, inescapable name for that certificate. A + full set of biometrics might suffice, for example, to look up a + person without danger of false positive in a database of globally + assigned ID numbers and with that procedure one could implement + inescapable IDs. + + The use of an inescapable identifier might be possible in some + countries, but in others (such as the US) it would meet strong + political opposition. Some countries have government-assigned ID + numbers for citizens but also have privacy regulations that prohibit + the use of those numbers for routine business. In either of these + latter cases, the inescapable ID would not be available for use in + routine certificates. + + There was a concern that commercial Certificate Authorities might + have been used to bring inescapable names into existence, bypassing + the political process and the opposition to such names in those + countries where such opposition is strong. As the (name,key) + + + +Ellison, et al. Experimental [Page 9] + +RFC 2693 SPKI Certificate Theory September 1999 + + + certificate business is evolving today, there are multiple competing + CAs each creating disjoint Distinguished Name spaces. There is also + no real block to the creation of new CAs. Therefore a person is able + to drop one Distinguished Name and get another, by changing CA, + making these names not inescapable. + +2.6 Local Names + + Globally unique names may be politically undesirable and relatively + useless, in the world of the Internet, but we use names all the time. + + The names we use are local names. These are the names we write in + our personal address books or use as nicknames or aliases with e-mail + agents. They can be IDs assigned by corporations (e.g., bank account + numbers or employee numbers). Those names or IDs do not need to be + globally unique. Rather, they need to be unique for the one entity + that maintains that address book, e-mail alias file or list of + accounts. More importantly, they need to be meaningful to the person + who uses them as indexes. + + Ron Rivest and Butler Lampson showed with SDSI 1.0 [SDSI] that one + can not only use local names locally, one can use local names + globally. The clear security advantage and operational simplicity of + SDSI names caused us in the SPKI group to adopt SDSI names as part of + the SPKI standard. + +2.6.1 Basic SDSI Names + + A basic SDSI 2.0 name is an S-expression with two elements: the word + "name" and the chosen name. For example, + + george: (name fred) + + represents a basic SDSI name "fred" in the name space defined by + george. + +2.6.2 Compound SDSI Names + + If fred in turn defines a name, for example, + + fred: (name sam) + + then george can refer to this same entity as + + george: (name fred sam) + + + + + + +Ellison, et al. Experimental [Page 10] + +RFC 2693 SPKI Certificate Theory September 1999 + + +2.7 Sources of Global Identifiers + + Even though humans use local names, computer systems often need + globally unique identifiers. Even in the examples of section 2.6.2 + above, we needed to make the local names more global and did so by + specifying the name-space owner. + + If we are using public key cryptography, we have a ready source of + globally unique identifiers. + + When one creates a key pair, for use in public key cryptography, the + private key is bound to its owner by good key safeguarding practice. + If that private key gets loose from its owner, then a basic premise + of public key cryptography has been violated and that key is no + longer of interest. + + The private key is also globally unique. If it were not, then the + key generation process would be seriously flawed and we would have to + abandon this public key system implementation. + + The private key must be kept secret, so it is not a possible + identifier, but each public key corresponds to one private key and + therefore to one keyholder. The public key, viewed as a byte string, + is therefore an identifier for the keyholder. + + If there exists a collision-free hash function, then a collision-free + hash of the public key is also a globally unique identifier for the + keyholder, and probably a shorter one than the public key. + +2.8 Fully Qualified SDSI Names + + SDSI local names are of great value to their definer. Each local + name maps to one or more public keys and therefore to the + corresponding keyholder(s). Through SDSI's name chaining, these + local names become useful potentially to the whole world. [See + section 2.6.2 for an example of SDSI name chaining.] + + To a computer system making use of these names, the name string is + not enough. One must identify the name space in which that byte + string is defined. That name space can be identified globally by a + public key. + + It is SDSI 1.0 convention, preserved in SPKI, that if a (local) SDSI + name occurs within a certificate, then the public key of the issuer + is the identifier of the name space in which that name is defined. + + + + + + +Ellison, et al. Experimental [Page 11] + +RFC 2693 SPKI Certificate Theory September 1999 + + + However, if a SDSI name is ever to occur outside of a certificate, + the name space within which it is defined must be identified. This + gives rise to the Fully Qualified SDSI Name. That name is a public + key followed by one or more names relative to that key. If there are + two or more names, then the string of names is a SDSI name chain. + For example, + + (name (hash sha1 |TLCgPLFlGTzgUbcaYLW8kGTEnUk=|) jim therese) + + is a fully qualified SDSI name, using the SHA-1 hash of a public key + as the global identifier defining the name space and anchoring this + name string. + +2.9 Fully Qualified X.509 Names + + An X.509 Distinguished Name can and sometimes must be expressed as a + Fully Qualified Name. If the PEM or original X.500 vision of a + single root for a global name space had come true, this wouldn't be + necessary because all names would be relative to that same one root + key. However, there is not now and is not likely ever to be a single + root key. Therefore, every X.509 name should be expressed as the + pair + + (name <root key> <leaf name>) + + if all leaf names descending from that root are unique. If + uniqueness is enforced only within each individual CA, then one would + build a Fully Qualified Name chain from an X.509 certificate chain, + yielding the form + + (name <root key> <CA(1)> <CA(2)> ... <CA(k)> <leaf name>). + +2.10 Group Names + + SPKI/SDSI does not claim to enforce one key per name. Therefore, a + named group can be defined by issuing multiple (name,key) + certificates with the same name -- one for each group member. + +3. Authorization + + Fully qualified SDSI names represent globally unique names, but at + every step of their construction the local name used is presumably + meaningful to the issuer. Therefore, with SDSI name certificates one + can identify the keyholder by a name relevant to someone. + + + + + + + +Ellison, et al. Experimental [Page 12] + +RFC 2693 SPKI Certificate Theory September 1999 + + + However, what an application needs to do, when given a public key + certificate or a set of them, is answer the question of whether the + remote keyholder is permitted some access. That application must + make a decision. The data needed for that decision is almost never + the spelling of a keyholder's name. + + Instead, the application needs to know if the keyholder is authorized + for some access. This is the primary job of a certificate, according + to the members of the SPKI WG, and the SPKI certificate was designed + to meet this need as simply and directly as possible. + + We realize that the world is not going to switch to SPKI certificates + overnight. Therefore, we developed an authorization computation + process that can use certificates in any format. That process is + described below in section 6. + + The various methods of establishing authorization are documented + below, briefly. (See also [UPKI]) + +3.1 Attribute Certificates + + An Attribute Certificate, as defined in X9.57, binds an attribute + that could be an authorization to a Distinguished Name. For an + application to use this information, it must combine an attribute + certificate with an ID certificate, in order to get the full mapping: + + authorization -> name -> key + + Presumably the two certificates involved came from different issuers, + one an authority on the authorization and the other an authority on + names. However, if either of these issuers were subverted, then an + attacker could obtain an authorization improperly. Therefore, both + the issuers need to be trusted with the authorization decision. + +3.2 X.509v3 Extensions + + X.509v3 permits general extensions. These extensions can be used to + carry authorization information. This makes the certificate an + instrument mapping both: + + authorization -> key + + and + + name -> key + + In this case, there is only one issuer, who must be an authority on + both the authorization and the name. + + + +Ellison, et al. Experimental [Page 13] + +RFC 2693 SPKI Certificate Theory September 1999 + + + Some propose issuing a master X.509v3 certificate to an individual + and letting extensions hold all the attributes or authorizations the + individual would need. This would require the issuer to be an + authority on all of those authorizations. In addition, this + aggregation of attributes would result in shortening the lifetime of + the certificate, since each attribute would have its own lifetime. + Finally, aggregation of attributes amounts to the building of a + dossier and represents a potential privacy violation. + + For all of these reasons, it is desirable that authorizations be + limited to one per certificate. + +3.3 SPKI Certificates + + A basic SPKI certificate defines a straight authorization mapping: + + authorization -> key + + If someone wants access to a keyholder's name, for logging purposes + or even for punishment after wrong-doing, then one can map from key + to location information (name, address, phone, ...) to get: + + authorization -> key -> name + + This mapping has an apparent security advantage over the attribute + certificate mapping. In the mapping above, only the + + authorization -> key + + mapping needs to be secure at the level required for the access + control mechanism. The + + key -> name + + mapping (and the issuer of any certificates involved) needs to be + secure enough to satisfy lawyers or private investigators, but a + subversion of this mapping does not permit the attacker to defeat the + access control. Presumably, therefore, the care with which these + certificates (or database entries) are created is less critical than + the care with which the authorization certificate is issued. It is + also possible that the mapping to name need not be on-line or + protected as certificates, since it would be used by human + investigators only in unusual circumstances. + + + + + + + + +Ellison, et al. Experimental [Page 14] + +RFC 2693 SPKI Certificate Theory September 1999 + + +3.4 ACL Entries + + SDSI 1.0 defined an ACL, granting authorization to names. It was + then like an attribute certificate, except that it did not need to be + signed or issued by any key. It was held in local memory and was + assumed issued by the owner of the computer and therefore of the + resource being controlled. + + In SPKI, an ACL entry is free to be implemented in any way the + developer chooses, since it is never communicated and therefore does + not need to be standardized. However, a sample implementation is + documented, as a certificate body minus the issuer field. The ACL + entry can have a name as a subject, as in SDSI 1.0, or it can have a + key as a subject. Examples of the latter include the list of SSL + root keys in an SSL capable browser or the file .ssh/authorized_keys + in a user's home UNIX directory. Those ACLs are single-purpose, so + the individual entries do not carry explicit authorizations, but SPKI + uses explicit authorizations so that one can use common authorization + computation code to deal with multiple applications. + +4. Delegation + + One of the powers of an authorization certificate is the ability to + delegate authorizations from one person to another without bothering + the owner of the resource(s) involved. One might issue a simple + permission (e.g., to read some file) or issue the permission to + delegate that permission further. + + Two issues arose as we considered delegation: the desire to limit + depth of delegation and the question of separating delegators from + those who can exercise the delegated permission. + +4.1 Depth of Delegation + + There were three camps in discussing depth of delegation: no control, + boolean control and integer control. There remain camps in favor of + each of these, but a decision was reached in favor of boolean + control. + +4.1.1 No control + + The argument in favor of no control is that if a keyholder is given + permission to do something but not the permission to delegate it, + then it is possible for that keyholder to loan out the empowered + private key or to set up a proxy service, signing challenges or + requests for the intended delegate. Therefore, the attempt to + restrict the permission to delegate is ineffective and might back- + fire, by leading to improper security practices. + + + +Ellison, et al. Experimental [Page 15] + +RFC 2693 SPKI Certificate Theory September 1999 + + +4.1.2 Boolean control + + The argument in favor of boolean control is that one might need to + specify an inability to delegate. For example, one could imagine the + US Commerce Department having a key that is authorized to declare a + cryptographic software module exportable and also to delegate that + authorization to others (e.g., manufacturers). It is reasonable to + assume the Commerce Department would not issue permission to delegate + this further. That is, it would want to have a direct legal + agreement with each manufacturer and issue a certificate to that + manufacturer only to reflect that the legal agreement is in place. + +4.1.3 Integer control + + The argument in favor of integer control is that one might want to + restrict the depth of delegation in order to control the + proliferation of a delegated permission. + +4.1.4 The choice: boolean + + Of these three, the group chose boolean control. The subject of a + certificate or ACL entry may exercise any permission granted and, if + delegation is TRUE, may also delegate that permission or some subset + of it to others. + + The no control argument has logical appeal, but there remains the + assumption that a user will value his or her private key enough not + to loan it out or that the key will be locked in hardware where it + can't be copied to any other user. This doesn't prevent the user + from setting up a signing oracle, but lack of network connectivity + might inhibit that mechanism. + + The integer control option was the original design and has appeal, + but was defeated by the inability to predict the proper depth of + delegation. One can always need to go one more level down, by + creating a temporary signing key (e.g., for use in a laptop). + Therefore, the initially predicted depth could be significantly off. + + As for controlling the proliferation of permissions, there is no + control on the width of the delegation tree, so control on its depth + is not a tight control on proliferation. + + + + + + + + + + +Ellison, et al. Experimental [Page 16] + +RFC 2693 SPKI Certificate Theory September 1999 + + +4.2 May a Delegator Also Exercise the Permission? + + We decided that a delegator is free to create a new key pair, also + controlled by it, and delegate the rights to that key to exercise the + delegated permission. Therefore, there was no benefit from + attempting to restrict the exercise of a permission by someone + permitted to delegate it. + +4.3 Delegation of Authorization vs. ACLs + + One concern with defining an authorization certificate is that the + function can be performed by traditional <authorization,name> ACLs + and <name,key> ID certificates defining groups. Such a mechanism was + described in SDSI 1.0. A new mechanism needs to add value or it just + complicates life for the developer. + + The argument for delegated authorization as opposed to ACLs can be + seen in the following example. + + Imagine a firewall proxy permitting telnet and ftp access from the + Internet into a network of US DoD machines. Because of the + sensitivity of that destination network, strong access control would + be desired. One could use public key authentication and public key + certificates to establish who the individual keyholder was. Both the + private key and the keyholder's certificates could be kept on a + Fortezza card. That card holds X.509v1 certificates, so all that can + be established is the name of the keyholder. It is then the job of + the firewall to keep an ACL, listing named keyholders and the forms + of access they are each permitted. + + Consider the ACL itself. Not only would it be potentially huge, + demanding far more storage than the firewall would otherwise require, + but it would also need its own ACL. One could not, for example, have + someone in the Army have the power to decide whether someone in the + Navy got access. In fact, the ACL would probably need not one level + of its own ACL, but a nested set of ACLs, eventually reflecting the + organization structure of the entire Defense Department. + + Without the ACLs, the firewall could be implemented in a device with + no mass storage, residing in a sealed unit one could easily hold in + one hand. With the ACLs, it would need a large mass storage device + that would be accessed not only while making access control decisions + but also for updating the ACLs. + + By contrast, let the access be controlled by authorization + certificates. The firewall would have an ACL with one entry, + granting a key belonging to the Secretary of Defense the right to + delegate all access through the firewall. The Secretary would, in + + + +Ellison, et al. Experimental [Page 17] + +RFC 2693 SPKI Certificate Theory September 1999 + + + turn, issue certificates delegating this permission to delegate to + each of his or her subordinates. This process would iterate, until + some enlisted man would receive permission to penetrate that firewall + for some specific one protocol, but not have permission to delegate + that permission. + + The certificate structure generated would reflect the organization + structure of the entire Defense Department, just as the nested ACLs + would have, but the control of these certificates (via their issuance + and revocation) is distributed and need not show up in that one + firewall or be replicated in all firewalls. Each individual + delegator of permission performs a simple task, well understood. The + application software to allow that delegation is correspondingly + simple. + +5. Validity Conditions + + A certificate, or an ACL entry, has optional validity conditions. + The traditional ones are validity dates: not-before and not-after. + The SPKI group resolved, in discussion, that on-line tests of various + kinds are also validity conditions. That is, they further refine the + valid date range of a certificate. Three kinds of on-line tests are + envisioned: CRL, re-validation and one-time. + + When validity confirmation is provided by some online test, then the + issuer of those refinements need not be the issuer of the original + certificate. In many cases, the business or security model for the + two issuers is different. However, in SPKI, the certificate issuer + must specify the issuer of validity confirmations. + +5.1 Anti-matter CRLs + + An early form of CRL [Certificate Revocation List] was modeled after + the news print book that used to be kept at supermarket checkout + stands. Those books held lists of bad checking account numbers and, + later, bad credit card numbers. If one's payment instrument wasn't + listed in the book, then that instrument was considered good. + + These books would be issued periodically, and delivered by some means + not necessarily taking a constant time. However, when a new book + arrived, the clerk would replace the older edition with the new one + and start using it. This design was suited to the constraints of the + implementation: use of physical books, delivered by physical means. + The book held bad account numbers rather than good ones because the + list of bad accounts was smaller. + + + + + + +Ellison, et al. Experimental [Page 18] + +RFC 2693 SPKI Certificate Theory September 1999 + + + An early CRL design followed this model. It had a list of revoked + certificate identifiers. It also had a sequence number, so that one + could tell which of two CRLs was more recent. A newer CRL would + replace an older one. + + This mode of operation is like wandering anti-matter. When the + issuer wants to revoke a certificate, it is listed in the next CRL to + go out. If the revocation is urgent, then that CRL can be released + immediately. The CRL then follows some dissemination process + unrelated to the needs of the consumers of the CRL. If the CRL + encounters a certificate it has listed, it effectively annihilates + that certificate. If it encounters an older CRL, it annihilates that + CRL also, leaving a copies of itself at the verifiers it encounters. + + However, this process is non-deterministic. The result of the + authorization computation is at least timing dependent. Given an + active adversary, it can also be a security hole. That is, an + adversary can prevent revocation of a given certificate by preventing + the delivery of new CRLs. This does not require cryptographic level + effort, merely network tampering. + + SPKI has ruled out the use of wandering anti-matter CRLs for its + certificates. Every authorization computation is deterministic, + under SPKI rules. + +5.2 Timed CRLs + + SPKI permits use of timed CRLs. That is, if a certificate can be + referenced in a CRL, then the CRL process is subject to three + conditions. + + 1. The certificate must list the key (or its hash) that will sign + the CRL and may give one or more locations where that CRL might + be fetched. + + 2. The CRL must carry validity dates. + + 3. CRL validity date ranges must not intersect. That is, one may + not issue a new CRL to take effect before the expiration of the + CRL currently deployed. + + Under these rules, no certificate that might use a CRL can be + processed without a valid CRL and no CRL can be issued to show up as + a surprise at the verifier. This yields a deterministic validity + computation, independent of clock skew, although clock inaccuracies + in the verifier may produce a result not desired by the issuer. The + CRL in this case is a completion of the certificate, rather than a + message to the world announcing a change of mind. + + + +Ellison, et al. Experimental [Page 19] + +RFC 2693 SPKI Certificate Theory September 1999 + + + Since CRLs might get very large and since they tend to grow + monotonically, one might want to issue changes to CRLs rather than + full ones. That is, a CRL might be a full CRL followed by a sequence + of delta-CRLs. That sequence of instruments is then treated as a + current CRL and the combined CRL must follow the conditions listed + above. + +5.3 Timed Revalidations + + CRLs are negative statements. The positive version of a CRL is what + we call a revalidation. Typically a revalidation would list only one + certificate (the one of interest), although it might list a set of + certificates (to save digital signature effort). + + As with the CRL, SPKI demands that this process be deterministic and + therefore that the revalidation follow the same rules listed above + (in section 5.2). + +5.4 Setting the Validity Interval + + Both timed CRLs and timed revalidations have non-0 validity + intervals. To set this validity interval, one must answer the + question: "How long are you willing to let the world believe and act + on a statement you know to be false?" + + That is, one must assume that the previous CRL or revalidation has + just been signed and transmitted to at least one consumer, locking up + a time slot. The next available time slot starts after this validity + interval ends. That is the earliest one can revoke a certificate one + learns to be false. + + The answer to that question comes from risk management. It will + probably be based on expected monetary losses, at least in commercial + cases. + +5.5 One-time Revalidations + + Validity intervals of length zero are not possible. Since + transmission takes time, by the time a CRL was received by the + verifier, it would be out of date and unusable. That assumes perfect + clock synchronization. If clock skew is taken into consideration, + validity intervals need to be that much larger to be meaningful. + + For those who want to set the validity interval to zero, SPKI defines + a one-time revalidation. + + + + + + +Ellison, et al. Experimental [Page 20] + +RFC 2693 SPKI Certificate Theory September 1999 + + + This form of revalidation has no lifetime beyond the current + authorization computation. One applies for this on-line, one-time + revalidation by submitting a request containing a nonce. That nonce + gets returned in the signed revalidation instrument, in order to + prevent replay attacks. This protocol takes the place of a validity + date range and represents a validity interval of zero, starting and + ending at the time the authorization computation completes. + +5.6 Short-lived Certificates + + A performance analysis of the various methods of achieving fine-grain + control over the validity interval of a certificate should consider + the possibility of just making the original certificate short-lived, + especially if the online test result is issued by the same key that + issued the certificate. There are cases in which the short-lived + certificate requires fewer signatures and less network traffic than + the various online test options. The use of a short-lived + certificate always requires fewer signature verifications than the + use of certificate plus online test result. + + If one wants to issue short-lived certificates, SPKI defines a kind + of online test statement to tell the user of the certificate where a + replacement short-lived certificate might be fetched. + +5.7 Other possibilities + + There are other possibilities to be considered when choosing a + validity condition model to use. + +5.7.1 Micali's Inexpensive On-line Results + + Silvio Micali has patented a mechanism for using hash chains to + revalidate or revoke a certificate inexpensively. This mechanism + changes the performance requirements of those models and might + therefore change the conclusion from a performance analysis [ECR]. + +5.7.2 Rivest's Reversal of the CRL Logic + + Ron Rivest has written a paper [R98] suggesting that the whole + validity condition model is flawed because it assumes that the issuer + (or some entity to which it delegates this responsibility) decides + the conditions under which a certificate is valid. That traditional + model is consistent with a military key management model, in which + there is some central authority responsible for key release and for + determining key validity. + + + + + + +Ellison, et al. Experimental [Page 21] + +RFC 2693 SPKI Certificate Theory September 1999 + + + However, in the commercial space, it is the verifier and not the + issuer who is taking a risk by accepting a certificate. It should + therefore be the verifier who decides what level of assurance he + needs before accepting a credential. That verifier needs information + from the issuer, and the more recent that information the better, but + the decision is the verifier's in the end. + + This line of thought deserves further consideration, but is not + reflected in the SPKI structure definition. It might even be that + both the issuer and the verifier have stakes in this decision, so + that any replacement validity logic would have to include inputs from + both. + +6. Tuple Reduction + + The processing of certificates and related objects to yield an + authorization result is the province of the developer of the + application or system. The processing plan presented here is an + example that may be followed, but its primary purpose is to clarify + the semantics of an SPKI certificate and the way it and various other + kinds of certificate might be used to yield an authorization result. + + There are three kinds of entity that might be input to the + computation that yields an authorization result: + + 1. <name,key> (as a certificate) + + 2. <authorization,name> (as an attribute certificate or ACL entry) + + 3. <authorization,key> (as an authorization certificate or ACL + entry) + + These entities are processed in three stages. + + 1. Individual certificates are verified by checking their + signatures and possibly performing other work. They are then + mapped to intermediate forms, called "tuples" here. + + The other work for SPKI or SDSI certificates might include + processing of on-line test results (CRL, re-validation or one- + time validation). + + The other work for PGP certificates may include a web-of-trust + computation. + + The other work for X.509 certificates depends on the written + documentation for that particular use of X.509 (typically tied + to the root key from which the certificate descended) and could + + + +Ellison, et al. Experimental [Page 22] + +RFC 2693 SPKI Certificate Theory September 1999 + + + involve checking information in the parent certificate as well + as additional information in extensions of the certificate in + question. That is, some use X.509 certificates just to define + names. Others use X.509 to communicate an authorization + implicitly (e.g., SSL server certificates). Some might define + extensions of X.509 to carry explicit authorizations. All of + these interpretations are specified in written documentation + associated with the certificate chain and therefore with the + root from which the chain descends. + + If on-line tests are involved in the certificate processing, + then the validity dates of those on-line test results are + intersected by VIntersect() [defined in 6.3.2, below] with the + validity dates of the certificate to yield the dates in the + certificate's tuple(s). + + 2. Uses of names are replaced with simple definitions (keys or + hashes), based on the name definitions available from reducing + name 4-tuples. + + 3. Authorization 5-tuples are then reduced to a final authorization + result. + +6.1 5-tuple Defined + + The 5-tuple is an intermediate form, assumed to be held in trusted + memory so that it doesn't need a digital signature for integrity. It + is produced from certificates or other credentials via trusted + software. Its contents are the same as the contents of an SPKI + certificate body, but it might be derived from another form of + certificate or from an ACL entry. + + The elements of a 5-tuple are: + + 1. Issuer: a public key (or its hash), or the reserved word "Self". + This identifies the entity speaking this intermediate result. + + 2. Subject: a public key (or its hash), a name used to identify a + public key, the hash of an object or a threshold function of + subordinate subjects. This identifies the entity being spoken + about in this intermediate result. + + 3. Delegation: a boolean. If TRUE, then the Subject is permitted + by the Issuer to further propagate the authorization in this + intermediate result. + + 4. Authorization: an S-expression. [Rules for combination of + Authorizations are given below.] + + + +Ellison, et al. Experimental [Page 23] + +RFC 2693 SPKI Certificate Theory September 1999 + + + 5. Validity dates: a not-before date and a not-after date, where + "date" means date and time. If the not-before date is missing + from the source credential then minus infinity is assumed. If + the not-after date is missing then plus infinity is assumed. + +6.2 4-tuple Defined + + A <name,key> certificate (such as X.509v1 or SDSI 1.0) carries no + authorization field but does carry a name. Since it is qualitatively + different from an authorization certificate, a separate intermediate + form is defined for it. + + The elements of a Name 4-tuple are: + + 1. Issuer: a public key (or its hash). This identifies the entity + defining this name in its private name space. + + 2. Name: a byte string + + 3. Subject: a public key (or its hash), a name, or a threshold + function of subordinate subjects. This defines the name. + + 4. Validity dates: a not-before date and a not-after date, where + "date" means date and time. If the not-before date is missing + from the source credential then minus infinity is assumed. If + the not-after date is missing then plus infinity is assumed. + +6.3 5-tuple Reduction Rules + + The two 5-tuples: + + <I1,S1,D1,A1,V1> + <I2,S2,D2,A2,V2> + + yield + + <I1,S2,D2,AIntersect(A1,A2),VIntersect(V1,V2)> + + provided + + the two intersections succeed, + + S1 = I2 + + and + + D1 = TRUE + + + + + +Ellison, et al. Experimental [Page 24] + +RFC 2693 SPKI Certificate Theory September 1999 + + + If S1 is a threshold subject, there is a slight modification to this + rule, as described below in section 6.3.3. + +6.3.1 AIntersect + + An authorization is a list of strings or sub-lists, of meaning to and + probably defined by the application that will use this authorization + for access control. Two authorizations intersect by matching, + element for element. If one list is longer than the other but match + at all elements where both lists have elements, then the longer list + is the result of the intersection. This means that additional + elements of a list must restrict the permission granted. + + Although actual authorization string definitions are application + dependent, AIntersect provides rules for automatic intersection of + these strings so that application developers can know the semantics + of the strings they use. Special semantics would require special + reduction software. + + For example, there might be an ftpd that allows public key access + control, using authorization certificates. Under that service, + + (ftp (host ftp.clark.net)) + + might imply that the keyholder would be allowed ftp access to all + directories on ftp.clark.net, with all kinds of access (read, write, + delete, ...). This is more general (allows more access) than + + (ftp (host ftp.clark.net) (dir /pub/cme)) + + which would allow all kinds of access but only in the directory + specified. The intersection of the two would be the second. + + Since the AIntersect rules imply position dependency, one could also + define the previous authorization string as: + + (ftp ftp.clark.net /pub/cme) + + to keep the form compact. + + To allow for wild cards, there are a small number of special S- + expressions defined, using "*" as the expression name. + + (*) + stands for the set of all S-expressions and byte-strings. + In other words, it will match anything. When intersected + with anything, the result is that other thing. [The + AIntersect rule about lists of different length treats a + + + +Ellison, et al. Experimental [Page 25] + +RFC 2693 SPKI Certificate Theory September 1999 + + + list as if it had enough (*) entries implicitly appended to + it to match the length of another list with which it was + being intersected.] + + (* set <tag-expr>*) + stands for the set of elements listed in the *-form. + + (* prefix <byte-string>) + stands for the set of all byte strings that start with the + one given in the *-form. + + (* range <ordering> <lower-limit>? <upper-limit>?) + stands for the set of all byte strings lexically (or + numerically) between the two limits. The ordering + parameter (alpha, numeric, time, binary, date) specifies + the kind of strings allowed. + + AIntersect() is normal set intersection, when *-forms are defined as + they are above and a normal list is taken to mean all lists that + start with those elements. The following examples should give a more + concrete explanation for those who prefer an explanation without + reference to set operations. + + AIntersect( (tag (ftp ftp.clark.net cme (* set read write))), + (tag (*)) ) + + evaluates to (tag (ftp ftp.clark.net cme (* set read write))) + + AIntersect( (tag (* set read write (foo bla) delete)), + (tag (* set write read) ) ) + + evaluates to (tag (* set read write)) + + AIntersect( (tag (* set read write (foo bla) delete)), + (tag read ) ) + + evaluates to (tag read) + + AIntersect( (tag (* prefix http://www.clark.net/pub/)), + (tag (* prefix http://www.clark.net/pub/cme/html/)) ) + + evaluates to (tag (* prefix http://www.clark.net/pub/cme/html/)) + + AIntersect( (tag (* range numeric ge #30# le #39# )), (tag #26#) ) + + fails to intersect. + + + + + +Ellison, et al. Experimental [Page 26] + +RFC 2693 SPKI Certificate Theory September 1999 + + +6.3.2 VIntersect + + Date range intersection is straight-forward. + + V = VIntersect( X, Y ) + + is defined as + + Vmin = max( Xmin, Ymin ) + + Vmax = min( Xmax, Ymax ) + + and if Vmin > Vmax, then the intersection failed. + + These rules assume that daytimes are expressed in a monotonic form, + as they are in SPKI. + + The full SPKI VIntersect() also deals with online tests. In the most + straight-forward implementation, each online test to which a + certificate is subject is evaluated. Each such test carries with it + a validity interval, in terms of dates. That validity interval is + intersected with any present in the certificate, to yield a new, + current validity interval. + + It is possible for an implementation of VIntersect() to gather up + online tests that are present in each certificate and include the + union of all those tests in the accumulating tuples. In this case, + the evaluation of those online tests is deferred until the end of the + process. This might be appropriate if the tuple reduction is being + performed not for answering an immediate authorization question but + rather for generation of a summary certificate (Certificate Result + Certificate) that one might hope would be useful for a long time. + +6.3.3 Threshold Subjects + + A threshold subject is specified by two numbers, K and N [0<K<=N], + and N subordinate subjects. A threshold subject is reduced to a + single subject by selecting K of the N subjects and reducing each of + those K to the same subject, through a sequence of certificates. The + (N-K) unselected subordinate subjects are set to (null). + + The intermediate form for a threshold subject is a copy of the tuple + in which the threshold subject appears, but with only one of the + subordinate subjects. Those subordinate tuples are reduced + individually until the list of subordinate tuples has (N-K) (null) + entries and K entries with the same subject. At that point, those K + tuples are validity-, authorization- and delegation- intersected to + yield the single tuple that will replace the list of tuples. + + + +Ellison, et al. Experimental [Page 27] + +RFC 2693 SPKI Certificate Theory September 1999 + + +6.3.4 Certificate Path Discovery + + All reduction operations are in the order provided by the prover. + That simplifies the job of the verifier, but leaves the job of + finding the correct list of reductions to the prover. + + The general algorithm for finding the right certificate paths from a + large set of unordered certificates has been solved[ELIEN], but might + be used only rarely. Each keyholder who is granted some authority + should receive a sequence of certificates delegating that authority. + That keyholder may then want to delegate part of this authority on to + some other keyholder. To do that, a single additional certificate is + generated and appended to the sequence already available, yielding a + sequence that can be used by the delegatee to prove access + permission. + +6.4 4-tuple Reduction + + There will be name 4-tuples in two different classes, those that + define the name as a key and those that define the name as another + name. + + 1. [(name K1 N) -> K2] + + 2. [(name K1 N) -> (name K2 N1 N2 ... Nk)] + + As with the 5-tuples discussed in the previous section, name + definition 4-tuples should be delivered in the order needed by the + prover. In that case, the rule for name reduction is to replace the + name just defined by its definition. For example, + + (name K1 N N1 N2 N3) + [(name K1 N) -> K2] + + -> (name K2 N1 N2 N3) + + or, in case 2 above, + + (name K1 N Na Nb Nc) + [(name K1 N) -> (name K2 N1 N2 ... Nk)] + + -> (name K2 N1 N2 ... Nk Na Nb Nc) + + With the second form of name definition, one might have names that + temporarily grow. If the prover is providing certificates in order, + then the verifier need only do as it is told. + + + + + + + +Ellison, et al. Experimental [Page 28] + +RFC 2693 SPKI Certificate Theory September 1999 + + + If the verifier is operating from an unordered pool of tuples, then a + safe rule for name reduction is to apply only those 4-tuples that + define a name as a key. Such applications should bring 4-tuples that + started out in class (2) into class (1), and eventually reduce all + names to keys. Any naming loops are avoided by this process. + +6.4.1 4-tuple Threshold Subject Reduction + + Some of a threshold subject's subordinate subjects might be names. + Those names must be reduced by application of 4-tuples. The name + reduction process proceeds independently on each name in the + subordinate subject as indicated in 6.3.3 above. + + One can reduce individual named subjects in a threshold subject and + leave the subject in threshold form, if one desires. There is no + delegation- or authorization-intersection involved, only a validity- + intersection during name reduction. This might be used by a service + that produces Certificate Result Certificates [see 6.7]. + +6.4.2 4-tuple Validity Intersection + + Whenever a 4-tuple is used to reduce the subject (or part of the + subject) of another tuple, its validity interval is intersected with + that of the tuple holding the subject being reduced and the + intersection is used in the resulting tuple. Since a 4-tuple + contains no delegation or authorization fields, the delegation + permission and authorization of the tuple being acted upon does not + change. + +6.5 Certificate Translation + + Any certificate currently defined, as well as ACL entries and + possibly other instruments, can be translated to 5-tuples (or name + tuples) and therefore take part in an authorization computation. The + specific rules for those are given below. + +6.5.1 X.509v1 + + The original X.509 certificate is a <name,key> certificate. It + translates directly to a name tuple. The form + + [Kroot, (name <leaf-name>), K1, validity] + + is used if the rules for that particular X.509 hierarchy is that all + leaf names are unique, under that root. If uniqueness of names + applies only to individual CAs in the X.509 hierarchy, then one must + generate + + + + +Ellison, et al. Experimental [Page 29] + +RFC 2693 SPKI Certificate Theory September 1999 + + + [Kroot, (name CA1 CA2 ... CAk <leaf-name>), K1, validity] + + after verifying the certificate chain by the rules appropriate to + that particular chain. + +6.5.2 PGP + + A PGP certificate is a <name,key> certificate. It is verified by + web-of-trust rules (as specified in the PGP documentation). Once + verified, it yields name tuples of the form + + [Ki, name, K1, validity] + + where Ki is a key that signed that PGP (UserID,key) pair. There + would be one tuple produced for each signature on the key, K1. + +6.5.3 X.509v3 + + An X.509v3 certificate may be used to declare a name. It might also + declare explicit authorizations, by way of extensions. It might also + declare an implicit authorization of the form (tag (*)). The actual + set of tuples it yields depends on the documentation associated with + that line of certificates. That documentation could conceptually be + considered associated with the root key of the certificate chain. In + addition, some X.509v3 certificates (such as those used for SET), + have defined extra validity tests for certificate chains depending on + custom extensions. As a result, it is likely that X.509v3 chains + will have to be validated independently, by chain validation code + specific to each root key. After that validation, that root-specific + code can then generate the appropriate multiple tuples from the one + certificate. + +6.5.4 X9.57 + + An X9.57 attribute certificate should yield one or more 5-tuples, + with names as Subject. The code translating the attribute + certificate will have to build a fully-qualified name to represent + the Distinguished Name in the Subject. For any attribute + certificates that refer to an ID certificate explicitly, the Subject + of the 5-tuple can be the key in that ID certificate, bypassing the + construction of name 4-tuples. + +6.5.5 SDSI 1.0 + + A SDSI 1.0 certificate maps directly to one 4-tuple. + + + + + + +Ellison, et al. Experimental [Page 30] + +RFC 2693 SPKI Certificate Theory September 1999 + + +6.5.6 SPKI + + An SPKI certificate maps directly to one 4- or 5- tuple, depending + respectively on whether it is a name certificate or carries an + authorization. + +6.5.7 SSL + + An SSL certificate carries a number of authorizations, some + implicitly. The authorization: + + (tag (ssl)) + + is implicit. In addition, the server certificate carries a DNS name + parameter to be matched against the DNS name of the web page to which + the connection is being made. That might be encoded as: + + (tag (dns <domain-name>)) + + Meanwhile, there is the "global cert" permission -- the permission + for a US-supplied browser to connect using full strength symmetric + cryptography even though the server is outside the USA. This might + be encoded as: + + (tag (us-crypto)) + + There are other key usage attributes that would also be encoded as + tag fields, but a full discussion of those fields is left to the + examples document. + + An ACL entry for an SSL root key would have the tag: + + (tag (* set (ssl) (dns (*)))) + + which by the rules of intersection is equivalent to: + + (tag (* set (ssl) (dns))) + + unless that root key also had the permission from the US Commerce + Department to grant us-crypto permission, in which case the root key + would have: + + (tag (* set (ssl) (dns) (us-crypto))) + + + + + + + + +Ellison, et al. Experimental [Page 31] + +RFC 2693 SPKI Certificate Theory September 1999 + + + A CA certificate, used for SSL, would then need only to communicate + down its certificate chain those permissions allocated in the ACL. + Its tag might then translate to: + + (tag (*)) + + A leaf server certificate for the Datafellows server might, for + example, have a tag field of the form: + + (tag (* set (ssl) (dns www.datafellows.com))) + + showing that it was empowered to do SSL and to operate from the given + domain name, but not to use US crypto with a US browser. + + The use of (* set) for the two attributes in this example could have + been abbreviated as: + + (tag (ssl www.datafellows.com)) + + while CA certificates might carry: + + (tag (ssl (*))) or just (tag (*)) + + but separating them, via (* set), allows for a future enhancement of + SSL in which the (ssl) permission is derived from one set of root + keys (those of current CAs) while the (dns) permission is derived + from another set of root keys (those empowered to speak in DNSSEC) + while the (us-crypto) permission might be granted only to a root key + belonging to the US Department of Commerce. The three separate tests + in the verifying code (e.g., the browser) would then involve separate + 5-tuple reductions from separate root key ACL entries. + + The fact that these three kinds of permission are treated as if ANDed + is derived from the logic of the code that interprets the permissions + and is not expressed in the certificate. That decision is embodied + in the authorization code executed by the verifying application. + +6.6 Certificate Result Certificates + + Typically, one will reduce a chain of certificates to answer an + authorization question in one of two forms: + + 1. Is this Subject, S, allowed to do A, under this ACL and with + this set of certificates? + + 2. What is Subject S allowed to do, under this ACL and with this + set of certificates? + + + + +Ellison, et al. Experimental [Page 32] + +RFC 2693 SPKI Certificate Theory September 1999 + + + The answer to the second computation can be put into a new + certificate issued by the entity doing the computation. That one + certificate corresponds to the semantics of the underlying + certificates and online test results. We call it a Certificate + Result Certificate. + +7. Key Management + + Cryptographic keys have limited lifetimes. Keys can be stolen. Keys + might also be discovered through cryptanalysis. If the theft is + noticed, then the key can be replaced as one would replace a credit + card. More likely, the theft will not be noticed. To cover this + case, keys are replaced routinely. + + The replacement of a key needs to be announced to those who would use + the new key. It also needs to be accomplished smoothly, with a + minimum of hassle. + + Rather than define a mechanism for declaring a key to be bad or + replaced, SPKI defines a mechanism for giving certificates limited + lifetimes so that they can be replaced. That is, under SPKI one does + not declare a key to be bad but rather stops empowering it and + instead empowers some other key. This limitation of a certificate's + lifetime might be by limited lifetime at time of issuance or might be + via the lifetime acquired through an on-line test (CRL, revalidation + or one-time). Therefore, all key lifetime control becomes + certificate lifetime control. + +7.1 Through Inescapable Names + + If keyholders had inescapable names [see section 2.5, above], then + one could refer to them by those names and define a certificate to + map from an inescapable name to the person's current key. That + certificate could be issued by any CA, since all CAs would use the + inescapable name for the keyholder. The attribute certificates and + ACLs that refer to the keyholder would all refer to this one + inescapable name. + + However, there are no inescapable names for keyholders. [See section + 2.5, above.] + +7.2 Through a Naming Authority + + One could conceivably have a governmental body or other entity that + would issue names voluntarily to a keyholder, strictly for the + purpose of key management. One would then receive all authorizations + through that name. There would have to be only one such authority, + + + + +Ellison, et al. Experimental [Page 33] + +RFC 2693 SPKI Certificate Theory September 1999 + + + however. Otherwise, names would have to be composed of parts: an + authority name and the individual's name. The authority name would, + in turn, have to be granted by some single global authority. + + That authority then becomes able to create keys of its own and + certificates to empower them as any individual, and through those + false certificates acquire access rights of any individual in the + world. Such power is not likely to be tolerated. Therefore, such a + central authority is not likely to come to pass. + +7.3 Through <name,key> Certificates + + Instead of inescapable names or single-root naming authorities, we + have names assigned by some entity that issues a <name,key> + certificate. As noted in sections 2.8 and 2.9, above, such names + have no meaning by themselves. They must be fully qualified to have + meaning. + + Therefore, in the construct: + + (name (hash sha1 |TLCgPLFlGTzgUbcaYLW8kGTEnUk=|) jim) + + the name is not + + "jim" + + but rather + + "(name (hash sha1 |TLCgPLFlGTzgUbcaYLW8kGTEnUk=|) jim)" + + This name includes a public key (through its hash, in the example + above). That key has a lifetime like any other key, so this name has + not achieved the kind of permanence (free from key lifetimes) that an + inescapable name has. However, it appears to be our only + alternative. + + This name could easily be issued by the named keyholder, for the + purpose of key management only. In that case, there is no concern + about access control being subverted by some third-party naming + authority. + +7.4 Increasing Key Lifetimes + + By the logic above, any name will hang off some public key. The job + is then to increase the lifetime of that public key. Once a key + lifetime exceeds the expected lifetime of any authorization granted + through it, then a succession of new, long-lifetime keys can cover a + keyholder forever. + + + +Ellison, et al. Experimental [Page 34] + +RFC 2693 SPKI Certificate Theory September 1999 + + + For a key to have a long lifetime, it needs to be strong against + cryptanalytic attack and against theft. It should be used only on a + trusted machine, running trusted software. It should not be used on + an on-line machine. It should be used very rarely, so that the + attacker has few opportunities to find the key in the clear where it + can be stolen. + + Different entities will approach this set of requirements in + different ways. A private individual, making his own naming root key + for this purpose, has the advantage of being too small to invite a + well funded attack as compared to the attacks a commercial CA might + face. + +7.5 One Root Per Individual + + In the limit, one can have one highly protected naming root key for + each individual. One might have more than one such key per + individual, in order to frustrate attempts to build dossiers, but let + us assume only one key for the immediate discussion. + + If there is only one name descending from such a key, then one can + dispense with the name. Authorizations can be assigned to the key + itself, in raw SPKI style, rather than to some name defined under + that key. There is no loss of lifetime -- only a change in the + subject of the certificate the authorizing key uses to delegate + authority. + + However, there is one significant difference, under the SPKI + structure. If one delegates some authorization to + + (name (hash sha1 |TLCgPLFlGTzgUbcaYLW8kGTEnUk=|) carl) + + and a different authorization to + + (hash sha1 |TLCgPLFlGTzgUbcaYLW8kGTEnUk=|) + + directly, both without granting the permission to delegate, that key + can delegate at will through <name,key> certificates in the former + case and not delegate at all in the latter case. + + In the case of key management, we desire the ability to delegate from + a long lived, rarely used key to a shorter lived, often used key -- + so in this case, the former mechanism (through a SDSI name) gives + more freedom. + + + + + + + +Ellison, et al. Experimental [Page 35] + +RFC 2693 SPKI Certificate Theory September 1999 + + +7.6 Key Revocation Service + + In either of the models above, key |TLCgPLFlGTzgUbcaYLW8kGTEnUk=| + will issue a certificate. In the first model, it will be a + <name,key> certificate. In the second, it will be an authorization + certificate delegating all rights through to the more temporary key. + + Either of those certificates might want an on-line validity test. + Whether this test is in the form of a CRL, a re-validation or a one- + time test, it will be supplied by some entity that is on-line. + + As the world moves to having all machines on-line all the time, this + might be the user's machine. However, until then -- and maybe even + after then -- the user might want to hire some service to perform + this function. That service could run a 24x7 manned desk, to receive + phone calls reporting loss of a key. That authority would not have + the power to generate a new key for the user, only to revoke a + current one. + + If, in the worst case, a user loses his master key, then the same + process that occurs today with lost wallets would apply. All issuers + of authorizations through that master key would need to issue new + authorizations through the new master key and, if the old master key + had been stolen, cancel all old authorizations through that key. + +7.7 Threshold ACL Subjects + + One can take extraordinary measures to protect root keys and thus + increase the lifetimes of those keys. The study of computer fault- + tolerance teaches us that truly long lifetimes can be achieved only + by redundancy and replacement. Both can be achieved by the use of + threshold subjects [section 6.3.3], especially in ACL entries. + + If we use a threshold subject in place of a single key subject, in an + ACL (or a certificate), then we achieve redundancy immediately. This + can be redundancy not only of keys but also of algorithms. That is, + the keys in a threshold subject do not need to have the same + algorithm. + + Truly long lifetimes come from replacement, not just redundancy. As + soon as a component fails (or a key is assumed compromised), it must + be replaced. + + An ACL needs to be access-controlled itself. Assume that the ACL + includes an entry with authorization + + (tag (acl-edit)) + + + + +Ellison, et al. Experimental [Page 36] + +RFC 2693 SPKI Certificate Theory September 1999 + + + Assume also that what might have been a single root authorization + key, K1, is actually a threshold subject + + (k-of-n #03# #07# K1 K2 K3 K4 K5 K6 K7) + + used in any ACL entry granting a normal authorization. + + That same ACL could have the subject of an (acl-edit) entry be + + (k-of-n #05# #07# K1 K2 K3 K4 K5 K6 K7) + + This use of threshold subject would allow the set of root keys to + elect new members to that set and retire old members. In this + manner, replacement is achieved alongside redundancy and the proper + choice of K and N should allow threshold subject key lifetimes + approaching infinity. + +8. Security Considerations + + There are three classes of information that can be bound together by + public key certificates: key, name and authorization. There are + therefore three general kinds of certificate, depending on what pair + of items the certificate ties together. If one considers the + direction of mapping between items, there are six classes: name->key, + key->name, authorization->name, name->authorization, authorization- + >key, key->authorization. + + The SPKI working group concluded that the most important use for + certificates was access control. Given the various kinds of mapping + possible, there are at least two ways to implement access control. + One can use a straight authorization certificate: + + (authorization->key) + + or one can use an attribute certificate and an ID certificate: + + (authorization->name) + (name->key) + + There are at least two ways in which the former is more secure than + the latter. + + 1. Each certificate has an issuer. If that issuer is subverted, + then the attacker can gain access. In the former case, there is + only one issuer to trust. In the latter case, there are two. + + 2. In the second case, linkage between the certificates is by name. + If the name space of the issuer of the ID certificate is + different from the name space of the issuer of the attribute + + + +Ellison, et al. Experimental [Page 37] + +RFC 2693 SPKI Certificate Theory September 1999 + + + certificate, then one of the two issuers must use a foreign name + space. The process of choosing the appropriate name from a + foreign name space is more complex than string matching and + might even involve a human guess. It is subject to mistakes. + Such a mistake can be made by accident or be guided by an + attacker. + + This is not to say that one must never use the second construct. If + the two certificates come from the same issuer, and therefore with + the same name space, then both of the security differentiators above + are canceled. + +References + + [Ab97] Abadi, Martin, "On SDSI's Linked Local Name Spaces", + Proceedings of the 10th IEEE Computer Security + Foundations Workshop (June 1997). + + [BFL] Matt Blaze, Joan Feigenbaum and Jack Lacy, "Distributed + Trust Management", Proceedings 1996 IEEE Symposium on + Security and Privacy. + + [CHAUM] D. Chaum, "Blind Signatures for Untraceable Payments", + Advances in Cryptology -- CRYPTO '82, 1983. + + [DH] Whitfield Diffie and Martin Hellman, "New Directions in + Cryptography", IEEE Transactions on Information Theory, + November 1976, pp. 644-654. + + [DvH] J. B. Dennis and E. C. Van Horn, "Programming Semantics + for Multiprogrammed Computations", Communications of the + ACM 9(3), March 1966. + + [ECR] Silvio Micali, "Efficient Certificate Revocation", + manuscript, MIT LCS. + + [ELIEN] Jean-Emile Elien, "Certificate Discovery Using SPKI/SDSI + 2.0 Certificates", Masters Thesis, MIT LCS, May 1998, + <http://theory.lcs.mit.edu/~cis/theses/elien-masters.ps> + [also .pdf and + + [HARDY] Hardy, Norman, "THE KeyKOS Architecture", Operating + Systems Review, v.19 n.4, October 1985. pp 8-25. + + [IDENT] Carl Ellison, "Establishing Identity Without + Certification Authorities", USENIX Security Symposium, + July 1996. + + + + +Ellison, et al. Experimental [Page 38] + +RFC 2693 SPKI Certificate Theory September 1999 + + + [IWG] McConnell and Appel, "Enabling Privacy, Commerce, + Security and Public Safety in the Global Information + Infrastructure", report of the Interagency Working Group + on Cryptography Policy, May 12, 1996; (quote from + paragraph 5 of the Introduction). + + [KEYKOS] Bomberger, Alan, et al., "The KeyKOS(r) Nanokernel + Architecture", Proceedings of the USENIX Workshop on + Micro-Kernels and Other Kernel Architectures, USENIX + Association, April 1992. pp 95-112 (In addition, there + are KeyKOS papers on the net available through + <http://www.cis.upenn.edu/~KeyKOS/#bibliography>). + + [KOHNFELDER] Kohnfelder, Loren M., "Towards a Practical Public-key + Cryptosystem", MIT S.B. Thesis, May. 1978. + + [LAMPSON] B. Lampson, M. Abadi, M. Burrows, and E. Wobber, + "Authentication in distributed systems: Theory and + practice", ACM Trans. Computer Systems 10, 4 (Nov. + 1992), pp 265-310. + + [LANDAU] Landau, Charles, "Security in a Secure Capability-Based + System", Operating Systems Review, Oct 1989 pp 2-4. + + [LEVY] Henry M. Levy, "Capability-Based Computer Systems", + Digital Press, 12 Crosby Dr., Bedford MA 01730, 1984. + + [LINDEN] T. A. Linden, "Operating System Structures to Support + Security and Reliable Software", Computing Surveys 8(4), + December 1976. + + [PKCS1] PKCS #1: RSA Encryption Standard, RSA Data Security, + Inc., 3 June 1991, Version 1.4. + + [PKLOGIN] David Kemp, "The Public Key Login Protocol", Work in + Progress. + + [R98] R. Rivest, "Can We Eliminate Revocation Lists?", to + appear in the Proceedings of Financial Cryptography + 1998, <http://theory.lcs.mit.edu/~rivest/revocation.ps>. + + [RFC1114] Kent, S. and J. Linn, "Privacy Enhancement for Internet + Electronic Mail: Part II -- Certificate-Based Key + Management", RFC 1114, August 1989. + + [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC + 1321, April 1992. + + + + +Ellison, et al. Experimental [Page 39] + +RFC 2693 SPKI Certificate Theory September 1999 + + + [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail + Extensions (MIME) Part One: Format of Internet Message + Bodies", RFC 2045, December 1996. + + [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail + Extensions (MIME) Part Two: Media Types", RFC 2046, + December 1996. + + [RFC2047] K. Moore, "MIME (Multipurpose Internet Mail Extensions) + Part Three: Message Header Extensions for Non-ASCII + Text", RFC 2047, December 1996. + + [RFC2065] Eastlake, D. and C. Kaufman, "Proposed Standard for DNS + Security", RFC 2065, January 1997. + + [RFC2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: + Keyed-Hashing for Message Authentication", RFC 2104, + February 1997. + + [SDSI] Ron Rivest and Butler Lampson, "SDSI - A Simple + Distributed Security Infrastructure [SDSI]", + <http://theory.lcs.mit.edu/~cis/sdsi.html>. + + [SET] Secure Electronic Transactions -- a protocol designed by + VISA, MasterCard and others, including a certificate + structure covering all participants. See + <http://www.visa.com/>. + + [SEXP] Ron Rivest, code and description of S-expressions, + <http://theory.lcs.mit.edu/~rivest/sexp.html>. + + [SRC-070] Abadi, Burrows, Lampson and Plotkin, "A Calculus for + Access Control in Distributed Systems", DEC SRC-070, + revised August 28, 1991. + + [UPKI] C. Ellison, "The nature of a useable PKI", Computer + Networks 31 (1999) pp. 823-830. + + [WEBSTER] "Webster's Ninth New Collegiate Dictionary", Merriam- + Webster, Inc., 1991. + +Acknowledgments + + Several independent contributions, published elsewhere on the net or + in print, worked in synergy with our effort. Especially important to + our work were: [SDSI], [BFL] and [RFC2065]. The inspiration we + received from the notion of CAPABILITY in its various forms (SDS-940, + Kerberos, DEC DSSA, [SRC-070], KeyKOS [HARDY]) can not be over-rated. + + + +Ellison, et al. Experimental [Page 40] + +RFC 2693 SPKI Certificate Theory September 1999 + + + Significant contributions to this effort by the members of the SPKI + mailing list and especially the following persons (listed in + alphabetic order) are gratefully acknowledged: Steve Bellovin, Mark + Feldman, John Gilmore, Phill Hallam-Baker, Bob Jueneman, David Kemp, + Angelos D. Keromytis, Paul Lambert, Jon Lasser, Jeff Parrett, Bill + Sommerfeld, Simon Spero. + +Authors' Addresses + + Carl M. Ellison + Intel Corporation + 2111 NE 25th Ave M/S JF3-212 + Hillsboro OR 97124-5961 USA + + Phone: +1-503-264-2900 + Fax: +1-503-264-6225 + EMail: carl.m.ellison@intel.com + cme@alum.mit.edu + Web: http://www.pobox.com/~cme + + + Bill Frantz + Electric Communities + 10101 De Anza Blvd. + Cupertino CA 95014 + + Phone: +1 408-342-9576 + EMail: frantz@netcom.com + + + Butler Lampson + Microsoft + 180 Lake View Ave + Cambridge MA 02138 + + Phone: +1 617-547-9580 (voice + FAX) + EMail: blampson@microsoft.com + + + + + + + + + + + + + + +Ellison, et al. Experimental [Page 41] + +RFC 2693 SPKI Certificate Theory September 1999 + + + Ron Rivest + Room 324, MIT Laboratory for Computer Science + 545 Technology Square + Cambridge MA 02139 + + Phone: +1-617-253-5880 + Fax: +1-617-258-9738 + EMail: rivest@theory.lcs.mit.edu + Web: http://theory.lcs.mit.edu/~rivest + + + Brian Thomas + Southwestern Bell + One Bell Center, Room 34G3 + St. Louis MO 63101 USA + + Phone: +1 314-235-3141 + Fax: +1 314-235-0162 + EMail: bt0008@sbc.com + + + Tatu Ylonen + SSH Communications Security Ltd. + Tekniikantie 12 + FIN-02150 ESPOO + Finland + + EMail: ylo@ssh.fi + + + + + + + + + + + + + + + + + + + + + + + +Ellison, et al. Experimental [Page 42] + +RFC 2693 SPKI Certificate Theory September 1999 + + +Full Copyright Statement + + Copyright (C) The Internet Society (1999). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Ellison, et al. Experimental [Page 43] + |