Hi Stefan, At 10:57 AM 6/10/2003 +0200, Stefan Mink wrote: >>Hi, > >I'm currently preparing courses about telecommunication security >architectures and protocols of which certificates are a main >building block for authentication and authorisation. > >I'm presenting the PKI/PMI-models with X.509 as mainly used >architecture today and PGP as the distributed model. > >I also want to present SDSI/SPKI but as far as I know, work in this >direction seems to have stopped: The IETF WG was closed and some >drafts weren't finished as RFCs. Nevertheless there are interesting >ideas which are worth showing in contrast to X.509. IETF work on SPKI/SDSI was stopped. We do not need to continue adding new protocols to the SPKI/SDSI family. There's one draft that should have gone on to RFC, but people were using it from the draft instead. It's my fault that we left it at that stage and didn't publish the RFC. That's still on my list of things to do :-) It seems that other work kept getting in the way. But the uses of SPKI/SDSI have continued. Check out http://theworld.com/~cme/html/spki.html for implementations of and research papers on SPKI/SDSI. There are a few other implementations that have not been publicized, as well. SPKI/SDSI doesn't lead to an industry like PKI and isn't a stand-alone product like PGP. It's a tool to be used within other products. It's also almost exclusively for a closed authorization infrastructure, rather than an open naming infrastructure. In fact, under SPKI/SDSI thinking, a global naming instructure is not a proper use of one's time and energy. This is doubtless why the PKI Vendors react with hostility toward SPKI/SDSI. > >I still have two open points which I couldn't resolve by searching >and reading: >* Are there other authorisation certificate standards besides > SDSI/SPKI? Yes. Check out KeyNote and PolicyMaker. There are links to those from my web page. There is also XACML and there is promised to be WS-Authorization. Of course, you don't have to use certificates for authorization. You can bind an authorization to a key in a protected database (a key-based ACL, in SPKI/SDSI terminology). Samples of that are SSH and X9.59. >* What are the main reasons that work on SDSI/SPKI stopped although > much work was already done? We went on to use it in products and research. We were and are a group of developers and researchers, not standards writers. Standards writing is fundamentally boring. > > tschuess > Stefan >-- >Stefan Mink, Schlund+Partner AG (AS 8560) >Primary key fingerprint: 389E 5DC9 751F A6EB B974 DC3F 7A1B CF62 >F0D4 D2BA > Tschüss, Carl +------------------------------------------------------------------+ |Carl M. Ellison cme@acm.org http://world.std.com/~cme | | PGP: 75C5 1814 C3E3 AAA7 3F31 47B9 73F1 7E3C 96E7 2B71 | +---Officer, arrest that man. He's whistling a copyrighted song.---+ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com