[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Auth]Authorization Certificates
From: |
Johan Hanson |
Subject: |
[Auth]Authorization Certificates |
Date: |
Sun, 15 Jul 2001 00:02:51 +0200 |
Has anybody had any thought of using X.509v3 Authorization Certificates
for authorization in DotGNU?
Another term for "Authorization Certificate" that is more common in the
classic ecurity literature is "Capability".
A Capability/Auth.Cert. is simply a reference to an object
with bundled access rights to that object.
Holding a authorization certificate is enough to authorize the holder
to exercize the rights granted by the certificate/capability.
What I like about capability security is that it is:
- Inherently peer-to-peer
- No personal information has to be disclosed to the server of
a request
(I am not so sure if that applies specifically to X.509v3 certificates,
but it does apply to similiar, older systems such as Amoeba)
The theory behind capability-based security dates back to the 70's and
it has been heavily researched.
More reading:
- RFC 2693: SPKI Theory, http://www.ietf.org/rfc/rfc2693.txt
- Notes about theory, http://www.cap-lore.com
- Cap-based system, http://www.e-rights.org
- Slightly unusual theory paper,
http://mumble.net/jar/pubs/secureos/secureos.html
--
/ address@hidden
-------------------------------------------------------------------------
char*s="address@hidden ",c,a[40],r[40];q(p,a)char*p
;{*p=(*p?*p-1-a:rand())%24+a;}main(){l:for(c=40;--c;){q(r+c,0);q(a+c,13);
printf("\e[%d;%dH%c\n",24-r[c],c*2+1,s[a[c]]);}usleep(1<<12);goto l;}
----------------------------------------------- 218 bytes -- aj där ya --
- [Auth]Authorization Certificates,
Johan Hanson <=