SPKI
   HOME

TheInfoList



Click Here for Items Related To - SPKI
OR:
SPKI on:   [Wikipedia]   [Google]   [Amazon]

Simple public key infrastructure (SPKI, pronounced ''spoo-key'') was an attempt to overcome the complexity of traditional
X.509 In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secu ...
public key infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilit ...
. It was specified in two
Internet Engineering Task Force The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
(IETF)
Request for Comments A Request for Comments (RFC) is a publication in a series from the principal technical development and standards-setting bodies for the Internet, most prominently the Internet Engineering Task Force (IETF). An RFC is authored by individuals or g ...
(RFC) specifications— and —from the IET
SPKI working group
These two RFCs never passed the "experimental" maturity level of the IETF's RFC status. The SPKI specification defined an authorization certificate format, providing for the delineation of privileges, rights or other such attributes (called authorizations) and binding them to a public key. In 1996, SPKI was merged with Simple Distributed Security Infrastructure (SDSI, pronounced ''sudsy'') by
Ron Rivest Ronald Linn Rivest (; born May 6, 1947) is a cryptographer and an Institute Professor at MIT. He is a member of MIT's Department of Electrical Engineering and Computer Science (EECS) and a member of MIT's Computer Science and Artificial Intell ...
and
Butler Lampson Butler W. Lampson, ForMemRS, (born December 23, 1943) is an American computer scientist best known for his contributions to the development and implementation of distributed personal computing. Education and early life After graduating from t ...
.


History and overview

The original SPKI had identified principals only as
public key Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
s but allowed binding authorizations to those keys and delegation of authorization from one key to another. The encoding used was attribute:value pairing, similar to headers. The original SDSI bound local names (of individuals or groups) to public keys (or other names), but carried authorization only in
Access Control List In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on giv ...
s (ACLs) and did not allow for delegation of subsets of a principal's authorization. The encoding used was standard
S-expression In computer programming, an S-expression (or symbolic expression, abbreviated as sexpr or sexp) is an expression in a like-named notation for nested list (tree-structured) data. S-expressions were invented for and popularized by the programming la ...
. Sample RSA public key in SPKI in "advanced transport format" (for actual transport the structure would be
Base64 In computer programming, Base64 is a group of binary-to-text encoding schemes that represent binary data (more specifically, a sequence of 8-bit bytes) in sequences of 24 bits that can be represented by four 6-bit Base64 digits. Common to all bina ...
-encoded): 
(public-key
   (rsa-pkcs1-md5
    (e #03#)
    (n
     , ANHCG85jXFGmicr3MGPj53FYYSY1aWAue6PKnpFErHhKMJa4HrK4WSKTO
     YTTlapRznnELD2D7lWd3Q8PD0lyi1NJpNzMkxQVHrrAnIQoczeOZuiz/yY
     VDzJ1DdiImixyb/Jyme3D0UiUXhd6VGAz0x0cgrKefKnmjy410Kro3uW1,  )))
The combined SPKI/SDSI allows the naming of principals, creation of named groups of principals and the delegation of rights or other attributes from one principal to another. It includes a language for expression of authorization - a language that includes a definition of "intersection" of authorizations. It also includes the notion of threshold subject - a construct granting authorizations (or delegations) only when K of N of the listed subjects concur (in a request for access or a delegation of rights). SPKI/SDSI uses S-expression encoding, but specifies a binary form that is extremely easy to parse - an LR(0) grammar - called
Canonical S-expressions A Canonical S-expression (or csexp) is a binary encoding form of a subset of general S-expression (or sexp). It was designed for use in SPKI to retain the power of S-expressions and ensure canonical form for applications such as digital signatures ...
. SPKI/SDSI does not define a role for a commercial
certificate authority In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This ...
(CA). In fact, one premise behind SPKI is that a commercial CA serves no useful purpose. As a result of that, SPKI/SDSI is deployed primarily in closed solutions and in demonstration projects of academic interest. Another side-effect of this design element is that it is difficult to monetize SPKI/SDSI by itself. It can be a component of some other product, but there is no business case for developing SPKI/SDSI tools and services except as part of some other product. The most prominent general deployments of SPKI/SDSI are E-speak, a middleware product from HP that used SPKI/SDSI for access control of web methods, and
UPnP Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the n ...
Security, that uses an XML dialect of SPKI/SDSI for access control of web methods, delegation of rights among network participants, etc.


See also

*
SPKAC SPKAC is an acronym that stands for Signed Public Key and Challenge, also known as Netscape SPKI. It is a format for sending a Certification Signing Request: it encodes a public key, that can be manipulated using OpenSSL. It is created using t ...


Notes


External links


SPKI homepage

JSDSI (open source development effort)

CDSA (open source development effort)
{{DEFAULTSORT:Simple Public Key Infrastructure Key management