SPKI/SDSI Certificates

SPKI, SDSI and the other certificate mechanisms from 1996 onward started out to address apparent overcomplication in the X.509 world. However, by starting with a blank sheet of paper, they ended up addressing a more basic problem than complexity. Earlier certificate mechanisms suffered from the Walton's Mountain Assumption - that if you know a name for someone you know their identity (all their defining characteristics) - and that if you know someone's identity, then you know whether they're authorized to do or have something they request. This assumption is true in a world of small towns where, as the old joke goes, ``you don't have to use your turn signals because everyone knows where you're going''. That world no longer exists, so earlier certificate mechanisms based on it (X.509 in particular) fail miserably. Specifically, the Walton's Mountain Assumption is that those characteristics of a small town apply to the entire world.

This assumption is replaced by one of local knowledge: that knowledge required for security decisions and identity establishment remains local but the world extends beyond any one locality. In SDSI, an identifier is valid only locally to the person who creates it but the underlying raw public key is valid globally. In SPKI, an authorization grant is made only locally. If you need to grant authorization to someone beyond your locality, then you may (must) delegate that grant through a chain of local relationships. The same applies to PolicyMaker, KeyNote and XrML V2 (when properly used).

Along the way, we have learned that what is important in certificate (and related) security systems is not the computer-readable data structures and protocols alone. Rather, these certificates, licenses, grants, ACL entries, ..., are a cyberspace reflection of relationships in the physical world - and the security of these systems rests most heavily on the security of the process by which the physical world relationships are bound to their cyberspace reflections. That security far outweighs the more trivial security of private key protection, key length, choice of algorithm, etc., that people have obsessed about for decades. In pursuing this line of reasoning, we now have the Ceremony work but this work is in its infancy. There is much more to come.

[24 January 2004]

There are five certificate syntax forms referenced from this page:  SPKI/SDSI, X.509, PGP, X9.59 (AADS), PolicyMaker and KeyNote.  This page defines SPKI/SDSI and gives some links to the others but doesn't claim to provide a full set.

Check out John Pritchard's SPKI resource page.

There are frequent questions about the status of SPKI in IETF and in general. I wrote to the cryptography list about this in this message and, as I often do, in a reply to that message.

Table of contents

SPKI/SDSI Documentation

The SPKI/SDSI certificate format is the product of the SPKI Working Group of the IETF.  The IETF SPKI documentation is in four parts:
  1. RFC2692: Requirements giving the requirements gathered by the working group at the start of the process.
  2. RFC2693: Theory giving the theory of authorization certificates, as opposed to name or ID certificates that most people (e.g., X.509) discuss. This document points out some of the flawed assumptions in ID certificate theory and shows how SPKI's certificates (both authorization and ID) attempt to correct those flaws.
  3. structure #5 (old, #6 coming soon) -- giving the detailed structure of certificates that satisfy the theory RFC.
  4. examples #1 (even older) -- giving actual examples of certificates, both for instruction in how to use authorization certificates and for testing implementations for interoperability.
The SPKI mailing list is handled by majordomo@metzdowd.com. You can subscribe by sending a message whose body consists of the one line:

subscribe spki

As with other majordomo mailing lists, you can send the command:


to learn of other commands you can issue.

The mailing list archive can be accessed at http://www.sandelman.ottawa.on.ca/spki/. [There is another mailing list archive that appears to be more current. Thanks to the list member who pointed me there...]

The SDSI (Simple Distributed Security Infrastructure) part of SPKI/SDSI was developed separately by Ron Rivest and Butler Lampson.  The early documents on SDSI are available at:

Code and product pages


UPnP Papers

PKI in general

Digital Signature Risks

The idea that digital signatures could enable electronic commerce through what has come to be known as non-repudiation was first proposed by Diffie and Hellman in their seminal paper, ``New Directions in Cryptography''.  The idea has since gained much popularity.

It is generally asserted that one can achieve the desired non-repudiation through the combination of strength of cryptography and security of Certificate Authorities.  However, as Don Davis and others have pointed out, this puts a burden on the individual keyholder that that person may not be equipped to handle.  The result, when this is applied to normal consumers with home computers, is a potential victimization of that consumer.

One of the problems here is the change in computer cost and therefore ubiquity. In 1976, when Diffie and Hellman were writing and proposed non-repudiation (under a different term), computers were in guarded glass rooms. Now they're in the family room where the neighbor's teenage son has easy, unguarded access. A guarded computer might well serve as a check writing machine, but an unguarded one is too dangerous to empower that way.

Miscellaneous Papers

Other certificate formats

Misc. articles and how-to

This is not intended to be a complete list at all. These are just some links as people refer me to articles on PKI.


Carl M. Ellison; mailto:cme@acm.org?subject=spki.html