Until recently, I thought SPKI Certificates were only suitable for
distributed user authorisation.
Quick recap: I sign an authority certificate, to be used on my system
and delegate it to a friend (creating a certificate chain), allowing my
friend remote access to my computer, because my computer recognises my
certificate, it's sort of like me being the Certificate Authority for my
own domain. I can also allow my friend to delegate certain
authorisations to his friends (by signing their cert) and so on. (I
cannot limit the level of delegatation, an authority certificate can
either be delegated or not).
Well what if a jar file can be signed by someone whom I've delegated an
authority certificate for DownloadPermission?
My computer doesn't even need to know who the other person is who's
signed the jar file, all it needs is my authority certificate.
Does this let the Geenie out of the bottle? Not if I sign with a
secondary certificate I use for delegation, since I can revoke that
certificate locally, then all the people whom I've delegated the
permission can no longer take advantage of it (except for those whose
classes have been already loaded).
The authority certificates I generate are only useful in my domain.
This allows administrators and their dominions to remain separate, yet
remain able to determine authorisation.
Rather simple isn't it?
The added benefit is that a ClassLoader loaded using signed jar files
will be more secure as it prevents the loading of unsigned jar files
into that class loader by a potential attacker.
Interestingly, if my friend grants me DownloadPermission, I can create a
service with a smart proxy and my friend can use it to log into my
system using authorisation certificates I've granted to access my domain.
SPKI certificates can also be given short expiry periods, issued daily
or weekly by an administrator to whom I've delegated authority.
Peter.
