[Auth]Authorization Certificates

[Johan Hanson]

Has anybody had any thought of using X.509v3 Authorization Certificates
for authorization in DotGNU?

Another term for "Authorization Certificate" that is more common in the 
classic ecurity literature is "Capability".
A Capability/Auth.Cert. is simply a reference to an object
with bundled access rights to that object.
Holding a authorization certificate is enough to authorize the holder
to exercize the rights granted by the certificate/capability.

What I like about capability security is that it is:
 - Inherently peer-to-peer
 - No personal information has to be disclosed to the server of
   a request

(I am not so sure if that applies specifically to X.509v3 certificates,
but it does apply to similiar, older systems such as Amoeba)
The theory behind capability-based security dates back to the 70's and
it has been heavily researched.

More reading:
 - RFC 2693: SPKI Theory, http://www.ietf.org/rfc/rfc2693.txt
 - Notes about theory, http://www.cap-lore.com
 - Cap-based system, http://www.e-rights.org
 - Slightly unusual theory paper,
http://mumble.net/jar/pubs/secureos/secureos.html

-- 
/ address@hidden
-------------------------------------------------------------------------
char*s="address@hidden                        ",c,a[40],r[40];q(p,a)char*p
;{*p=(*p?*p-1-a:rand())%24+a;}main(){l:for(c=40;--c;){q(r+c,0);q(a+c,13);
printf("\e[%d;%dH%c\n",24-r[c],c*2+1,s[a[c]]);}usleep(1<<12);goto l;}
----------------------------------------------- 218 bytes -- aj där ya --