[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Revoking Old Lost Keys
> > Note that the problem here is in the basic trust model, not just the
> > certificate distribution model (which is a separate problem). The lack of
> > ability for a certifier to revoke his own certification, plus the lack of a
> > facility to put limits on the duration and meaning of the certification,
> > make PGP certificates of very limited practical value.
>
> Isn't the last bit here, the part about duration and meaning, the
> practical answer to the problem? Especially duration?
>
> The stuff that's been going on lately with Netscape's browsers, Sameer's
> apache ssl server, and the difficulty of getting CAs like verisign to
> approve keys underscores the importance of this issue.
>
> This is probably sort of half-baked, but is it possible to come up with a
> formal grammar that would allow us to describe trust models in general?
> What if we had a prolog-like system that allowed you to set up rules like:
>
> "x is a student if x has got a signature from a school"
> "x is a school if x has got a signature from the accredation authority"
> "x belongs to the secret society of x has signatures from 3 other people
> who have belonged to the society for more than a year, and if x is
> a certified owner of a duck."
>
> Wouldn't something like this give us the flexibility to use a PGPish model
> of trust or an X.509ish model, or whatever else we wanted to do?
>
> It seems to me that the rules that govern when you can accept which
> signature ought to be data objects in a more flexible system, just as the
> signatures themselves are data objects. That means that the rules
> themselves ought to be subject to change, revokation, or revision.
>
> The constitution wouldn't have survived if it didn't contain a mechanism
> for ammendment. Wouldn't a model of trust with the same ability for
> revision and extension be a lot more robust, and a lot more resistent to
> centralized control?
>
Indeed, I agree that's the right approach. In fact, I agree so much
that I've spent the last few months (with Joan Feigenbaum and Jack
Lacy) developing the principles and structure for just such a "trust
management" system. Watch this space for details of our system, called
"PolicyMaker", which I expect to release a paper about shortly and a
reference implementation around April or May.
-matt