[Twisted-Python] PB and public key cryptography
twisted at itamarst.org
Tue Apr 23 06:52:27 EDT 2002
I've been thinking a bit about this - maybe it ought to be done on the SSL
level, since SSL already has the public key infrastructure, but the SSL
model is very annoying and cumbersome to work with. I think the SDSI/SPKI
infrastructure might suite PB's model very well.
I can't be sure of this, I haven't read in detail, but the model seems to
match cred's service/perspective/identity model very very well.
E.g., read this - http://theory.lcs.mit.edu/~cis/sdsi/sdsi2/sdsi20_1.html
In cred terms, we would say a service's authorizer is what he describes as a
"phone book", a name is an identity, and to each identity we can attach
perspectives - what SPKI calls permissions. So this gives us the capability
to have certificates for service/identity/perspective grants.
Further info at http://theory.lcs.mit.edu/~cis/sdsi.html
1. SSL server has certificate, client has no certificate (like the way most
public web servers work) so SSL is just used for transport encryption. The
SPKI authentication is done over this, and works the same as it would for
TCP. Well, not SSL, TLS, but the idea is the same.
2. SPKI may be mappable to SSL certificates, so the user's client
certificate would include the identity and perspective. This would be a
3. Build a crypto handshake based on SPKI (e.g. there's a simple demo one
that comes with the Python SPKI toolkit Pisces, I'm sure someone has written
others). Of course, this adds a whole new level of requirements for
All in all (1) seems easiest.
More information about the Twisted-Python