From owner-mcg-talk@localhost Thu May 15 16:55:17 1997 Return-Path: owner-mcg-talk@novaware.cps.softex.br Received: (from majordom@localhost) by localhost (8.8.5/v3.2) id QAA15402 for mcg-talk-outgoing; Thu, 15 May 1997 16:55:17 -0300 Message-Id: <199705151955.QAA15402@localhost> Date: Thu, 15 May 1997 16:58:09 -0300 (EST) From: "111229" To: mcg-talk@localhost Subject: Re: What's it all about? Sender: owner-mcg-talk@novaware.cps.softex.br Status: RO X-Status: I have been following these discussions and reading the materials, and conversing off the list with Dr Gerck. I think I am making headway. I am writing here my understanding of what Dr Gerck's project is all about. The terms he uses come from a variety of disciplines. This makes a good deal of sense, because he has been consulting computer people, lawyers, philosophers, and other cross-disciplinary people. The terms `domain space' and `image space' are new to computer security; they come from the mathematical discipline of functional analysis. In plain words, `domain space' might be called `the real world'. Of course, this introduces the question of the real world actually is, so I do not object to the mathematical term. Cyberspace is an image space. The world of Law is an image space. (If I were a lawyer, I might make an argument that Law is actually the domain space, and the sensory world an image space, but I'm not a lawyer, so I won't.) Obviously, people are part of the domain space. Some things like corporations and DBAs (that's doing-business-as) are not people, but are part of the domain space with their own legal rights and obligations, so it makes sense to use a word like `persona' to lump all of them together. Some other things, like money, are arguably part of either domain space or image space (is money real? does it exist in the same way a person exists? does it exist in the same way that Sherlock Holmes exists?), but in any discussion that wants to encompass electronic commerce, it is best to consider money real, and thus part of the domain space. Moving on, the term `hash' is perhaps unfortunate, because it does not mean a checksum, a cryptographic digest, a bucket-splitter, or any of the other things I normally consider a hash, but I see the point. An example might be that a GIF of me is a hash of what-I-look-like. The GIF won't change if I dress up in costume or change my hair style, and may not even look a whole lot like me (especially if we start from my passport photo). But I can publish that GIF and software can find me by finding the domain-space persona that advertises that hash. A person or sufficently smart software might identify me because I look like that GIF (whatever it means to look like). I see that if I use that GIF as my Meta-Certificate- Identifier-Hash, then I can keep that as my Meta-Certificate- Distinguished-Name even if I drastically alter my Meta-Certificate. I could even potentially update my photo, and make some thingie in my Meta-Certificate that says, `If you knew me as the person who looked like this, this is still me' and sufficently smart software could still find me. The most radical jump in thought for me is realizing that a Meta-Certificate is not a PKI. It is actually an object-oriented framework for defining a way to identify, authenticate, or authorize some persona for some function. The certificate itself is a mobile object, in ways like a TeleScript agent, or a Java applet or servelet, or a Lisp closure. It may contain a PKI as an authentication scheme (or even multiple PKIs are authentication schemes), but is not itself a PKI. It appears that the class structure will provide a description of how a certificate producer can advertise the methods by which it may be validated, The methods may be built upon a PKI, but they just as well could use Kerberos, a username/password pair, a digest-exchange a la APOP, smart cards, biometric devices, homebrewed mechanisms, and even really outre ones like a phone call home to your mother. As I understand it, then, I've been thinking about some of the wrong issues. For example, I have been wondering about how exactly the trust model works, and what trust model can possibly do all the things Dr Gerck is claiming. I think my confusion comes from my asking the wrong question. The real answer seems to be, `what trust model would you like?' There is a built in notion (the `archetypical model' in the abstract class) of the meta-rules that a trust model has to follow, but I might buy a trust model from someone and add that, design my own, or even augment one I bought. Thus, I can ask for a fingerprint and check it against the FBI, Scotland Yard, and Surite databases, check their PGP key to make sure that it was signed my Mother Theresa, ask for a letter of recommendation from either the Pope or the Dalai Lama (except during Ramadan, when only approval by the Taliban will do), and then reject them out of hand if I haven't had my second cup of coffee. As flippant as I'm being, this has a lot of value. I write with a GUI framework because I don't have to worry my pretty little head about the details of how to draw a checkbox. I ask the system to draw it for me, and it does. It even handles what happens when it's clicked. I just ask the checkbox if it's on or off, and it tells me. If I want a special checkbox, I can make one of those as a subclass, and once I've done that work, I don't have to think about it again, I just use it. Similarly, if I use a meta-certificate, I may have to do some up front work to get things the way I want but I can always use an off-the-shelf validity mechanism. In either case, I just ask the certificate framework if the certificate is valid. The framework can combine rules of thumb with special-cases as appropriate, and without my having to worry my pretty little head about it.