[Twisted-Python] PB and public key cryptography

Itamar Shtull-Trauring twisted at itamarst.org
Tue Apr 23 06:52:27 EDT 2002

I've been thinking a bit about this - maybe it ought to be done on the SSL 
level, since SSL already has the public key infrastructure, but the SSL 
model is very annoying and cumbersome to work with. I think the SDSI/SPKI 
infrastructure might suite PB's model very well.

I can't be sure of this, I haven't read in detail, but the model seems to 
match cred's service/perspective/identity model very very well.

E.g., read this - http://theory.lcs.mit.edu/~cis/sdsi/sdsi2/sdsi20_1.html

In cred terms, we would say a service's authorizer is what he describes as a 
"phone book", a name is an identity, and to each identity we can attach 
perspectives - what SPKI calls permissions. So this gives us the capability 
to have certificates for service/identity/perspective grants.

Further info at http://theory.lcs.mit.edu/~cis/sdsi.html

Implementation options:
1. SSL server has certificate, client has no certificate (like the way most 
public web servers work) so SSL is just used for transport encryption. The 
SPKI authentication is done over this, and works the same as it would for 
TCP. Well, not SSL, TLS, but the idea is the same.

2. SPKI may be mappable to SSL certificates, so the user's client 
certificate would include the identity and perspective. This would be a 
horrible PITA.

3. Build a crypto handshake based on SPKI (e.g. there's a simple demo one 
that comes with the Python SPKI toolkit Pisces, I'm sure someone has written 
others). Of course, this adds a whole new level of requirements for 
implementing PB.

All in all (1) seems easiest.

More information about the Twisted-Python mailing list