spki-application_2008-12-7_.doc - Assembla

Document Sample
spki-application_2008-12-7_.doc - Assembla Powered By Docstoc
					Applications of SPKI

Since it was merged with SDSI by Ron Rivest and Butler Lampson in 1996 as well as
the hard working from the IETF SPKI working group, the new key distribution
method-SPKI has become a significant research direction on security. However,
although SPKI integrates the wisdom of so many scholars and experts during the last
10 years, it seems that its fruits mostly appear in papers yet few products in real world.
In spite of its relatively unsuccessful popularization, it is still acknowledged that
SPKI/SKSI is an efficient and effective protocol for Security Mechanism from those
products and implements.

E-speak, which is an open software platform designed by HP and uses SPKI/SDSI for
access control of web methods, is probable the most prominent general deployment
for SPKI/SDSI technology. E-speak can facilitate the delivery of electronic services
(e-services) on the Internet. Through the use of E-speak, users will be able to enjoy a
variety services online. Take a user’s mortgage financing requirement for instance,
E-speak can collect useful information online for him, classify them to several
solutions and return them to the user as a feedback to help him to make a correct
decision ( Its designers make use of SPKI
attribute certificates for the security of E-speak which bring them a number of
effects. The most significant advantage is that its architecture based on SPKI will be
more suitable for B2B (business-to-business) environment, since “it made certain
end-to-end guarantees easier to enforce and, equally importantly, easier to explain”
(Lessons form E-speak), and hence more acceptable to customers. However, SPKI
operations also bring a flaw which is the latencies made by SPKI seem a little large
for interactive use under distributed collaboration system.

Another successful application of SPKI/SDSI is UPnP (Universal Plug and Play),
which is a Microsoft’s standard for resource discovery. Resources in this system
advertise and describe themselves using the XML (eXtensible Markup Language),
and UPnP Security just uses SPKI/SDSI mechanism implemented by XML dialect for
both access control of web methods and delegation of rights among network
participants (Wikipedia). In practice, UPnP certificates are strongly similar to SPKI
certificates, but are not exactly the same. “They have slightly different syntax and are
encoded in XML rather than canonical S-expressions” (DeviceSecurity:1 Service
Template ). Despite the slightly different,generally speaking, the thought form
SPKI/SDSI benefits a lot to UPnP’s security mechanism.

By contrast with the small amount of products achieved in real world, plenty of
implements have been mentioned in journals, and SPKI is more attractive among
projects with academic interest. Ellison, one of the authors of RFC2963 as well as one
of the most authoritative experts of SPKI, gave various application solutions using
SPKI structures in his paper. In this document tag examples, keyholder examples and
object certificates were given, if anyone wants to implement some applications
especially under distributed system these examples’ structures will be helpful
( Take “authority to spend
money” for example, Ellison et al. gave the tag
    (tag (spend <bank> <account> (* range le <amount> )))
In practice, it will be used as
    (tag (spend BankBoston "011000390 436 20608" (* range le "500.00")))
(propagate) implies that the account holder has agreed to delegate his ability to others.
And the next line indicates it permits someone to spend up to 500 per electronic check
form the indicated checking account at BankBoston (examples given by Ellison). In
addition, it has been established some SPKI Certificate standards for different
programming languages, such as Pisces, JSDSI which are implementations of
SPKI/SDSI Certificate standard for Python and Java respectively. Moreover, for
implementing SDSI infrastructure, three packages are built to provide a library of
classes. They are sdsi.sexp, sdsi, and sdsi.control packages which are responsible for
the implement of S-expressions, the implement of SDSI objects and generation GUI
for SDSI system respectively.

Shared By: