SPKI Certificate Theory

C. Ellison, B. Frantz, B. Lampson, R Rivest, B. Thomas, T. Ylonen


Citation: Internet RFC 2693, http://www.cis.ohio-state.edu/htbin/rfc/rfc2693.html, Sept. 1999.

Links: Abstract, Postscript, Acrobat, Web page, Word.

Email: blampson@microsoft.com. This paper is at http://research.microsoft.com.



The SPKI Working Group has developed a standard form for digital certificates whose main purpose is authorization rather than authentication.  These structures bind either names or explicit authorizations to keys or other objects.  The binding to a key can be directly to an explicit key, or indirectly through the hash of the key or a name for it.  The name and authorization structures can be used separately or together.  We use S-expressions as the standard format for these certificates and define a canonical form for those S-expressions.  As part of this development, a mechanism for deriving authorization decisions from a mixture of certificate types was developed and is presented in this document. 


This document gives the theory behind SPKI certificates and ACLs without going into technical detail about those structures or their uses.