80 likes | 331 Views
SPKI / SDSI Simple PKI / Simple Distributed Security Infrastructure. What is SPKI ?
E N D
SPKI / SDSISimple PKI / Simple Distributed Security Infrastructure • What is SPKI ? The Simple PKI is a movement to replace the specification to replace the specification for X.509 with something simpler. X.509 relied on several global structures that made it difficult to implement it efficiently. One structure that SPKI tries to remove is the global name space, a feature intrinsic to X.509 and PGP. • What is SDSI ? The main feature added by SDSI was the notion local name spaces - name spaces that are defined relative to a particular key, which can later be dereferenced to a key or another SDSI name. Thus avoiding the CRLs.
How does it work ? • The main new feature of this PKI is the separation of authorization from name definition. • This eliminates several hairy problems that arise with the juxtaposition of authority with naming. • Since you really only know and control your own name space, you can, at will, issue certificates that bind subjects to names in your namespace. • Let’s see one simple example, but before this let’s see the SPKI/SDSI certificate structures.
(cert (issuer (name (public-key (rsa-pkcs1-md5 (e #25#) (n |……K…..| ))) TIFR)) (subject (public-key (rsa-pkcs1-md5 (e #25#) (n |……K-tifr…..| ))))) This S-Expression is a Certificate issued by Key “K” to Key “K-tifr”. In-short it can be represented as K TIFR -> K-tifr ASN.1 like encoding is avoided. Representation of Certificates in terms of S-expressions
SPKI/SDSI Certificates:- • Name Certs { K, A, S, V } • Auth Certs { K, S, D, T, V } Certs as Rewrite rules :- K A S K S • K - issuers Public Key • A - local name of K • S - subject -a term in T • D - delegation bit • T - authorization specification Tag • V - validity specification
Example - Certificate Chain Discovery • In SPKI/SDSI the onus of identification and proof of authority to do something is left on the user. • Let’s take one scenario, • A resource has been restricted for some users and groups. • The resource will be associated with this valid group and user definitions in it’s ACL. • To access the resource one has to prove his identity and authority to access it.
Induction of local namespace. Hence distributed. So the infrastructure can scale truly global. Separate Name certificates and Authorization certificates. Concept of groups, delegation of authority. No CRLs, due to extended names. Each key can act as a CA. The flexibility provided by this system lets the resource administrator work with different policies as and when needed. Distinct Advantages of SPKI/SDSI over X.509