[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Revoking Old Lost Keys



> > Note that the problem here is in the basic trust model, not just the
> > certificate distribution model (which is a separate problem).  The lack of
> > ability for a certifier to revoke his own certification, plus the lack of a
> > facility to put limits on the duration and meaning of the certification,
> > make PGP certificates of very limited practical value.
> 
> Isn't the last bit here, the part about duration and meaning, the 
> practical answer to the problem?  Especially duration?
> 
> The stuff that's been going on lately with Netscape's browsers, Sameer's
> apache ssl server, and the difficulty of getting CAs like verisign to
> approve keys underscores the importance of this issue.
> 
> This is probably sort of half-baked, but is it possible to come up with a 
> formal grammar that would allow us to describe trust models in general?  
> What if we had a prolog-like system that allowed you to set up rules like:
> 
> "x is a student if x has got a signature from a school" 
> "x is a school if x has got a signature from the accredation authority"
> "x belongs to the secret society of x has signatures from 3 other people
> who have belonged to the society for more than a year, and if x is 
> a certified owner of a duck."
> 
> Wouldn't something like this give us the flexibility to use a PGPish model
> of trust or an X.509ish model, or whatever else we wanted to do?
> 
> It seems to me that the rules that govern when you can accept which 
> signature ought to be data objects in a more flexible system, just as the 
> signatures themselves are data objects.  That means that the rules 
> themselves ought to be subject to change, revokation, or revision.  
> 
> The constitution wouldn't have survived if it didn't contain a mechanism 
> for ammendment.  Wouldn't a model of trust with the same ability for 
> revision and extension be a lot more robust, and a lot more resistent to 
> centralized control?
> 

Indeed, I agree that's the right approach.  In fact, I agree so much
that I've spent the last few months (with Joan Feigenbaum and Jack
Lacy) developing the principles and structure for just such a "trust
management" system.  Watch this space for details of our system, called
"PolicyMaker", which I expect to release a paper about shortly and a
reference implementation around April or May.

-matt