Editing Simple public-key infrastructure

'''Simple public key infrastructure''' ('''SPKI''', pronounced ''spoo-key'') was an attempt to overcome the complexity of traditional [[X.509]] [[public key infrastructure]].  It was specified in two [[Internet Engineering Task Force]] (IETF) [[Request for Comments]] (RFC) specifications – {{IETF RFC|2692}} and {{IETF RFC|2693}} – from the IETF [https://datatracker.ietf.org/wg/spki/about/ SPKI working group]. These two RFCs never passed the "experimental" maturity level of the IETF's [[Request for Comments#Status|RFC status]]. The SPKI specification defined an authorization certificate format, providing for the delineation of privileges, rights or other such attributes (called '''authorizations''') and binding them to a public key.  In 1996, SPKI was merged with '''Simple Distributed Security Infrastructure'''<ref>{{cite web|url=https://people.csail.mit.edu/rivest/sdsi10.html|title=SDSI – A Simple Distributed Security Infrastructure|website=people.csail.mit.edu|access-date=2017-03-15}}</ref> ('''SDSI''', pronounced ''sudsy'') by [[Ron Rivest]] and [[Butler Lampson]].

== History and overview ==
The original SPKI had identified principals only as [[public key]]s but allowed binding authorizations to those keys and delegation of authorization from one key to another. The encoding used was attribute:value pairing, similar to {{IETF RFC|822}} headers.

The original SDSI bound local names (of individuals or groups) to public keys (or other names), but carried authorization only in [[Access Control List]]s (ACLs) and did not allow for delegation of subsets of a principal's authorization.  The encoding used was standard [[S-expression]]. Sample RSA public key in SPKI in "advanced transport format" (for actual transport the structure would be [[Base64]]-encoded):

<syntaxhighlight lang="Lisp">
(public-key
   (rsa-pkcs1-md5
    (e #03#)
    (n
     |ANHCG85jXFGmicr3MGPj53FYYSY1aWAue6PKnpFErHhKMJa4HrK4WSKTO
     YTTlapRznnELD2D7lWd3Q8PD0lyi1NJpNzMkxQVHrrAnIQoczeOZuiz/yY
     VDzJ1DdiImixyb/Jyme3D0UiUXhd6VGAz0x0cgrKefKnmjy410Kro3uW1| )))
</syntaxhighlight>

The combined SPKI/SDSI allows the naming of principals, creation of named groups of principals and the delegation of rights or other attributes from one principal to another.  It includes a language for expression of authorization – a language that includes a definition of "intersection" of authorizations.  It also includes the notion of '''threshold subject''' – a construct granting authorizations (or delegations) only when ''K'' of ''N'' of the listed subjects concur (in a request for access or a delegation of rights).  SPKI/SDSI uses S-expression encoding, but specifies a binary form that is extremely easy to parse – an LR(0) grammar – called [[Canonical S-expressions]].

SPKI/SDSI does not define a role for a commercial [[certificate authority]] (CA).  In fact, one premise behind SPKI is that a commercial CA serves no useful purpose.<ref>
{{cite conference
 | first = Carl
 | last = Ellison
 | title = Establishing Identity Without Certification Authorities
 | book-title = 6th USENIX Security Symposium
 | year = 1996
 | citeseerx = 10.1.1.31.7263
}}</ref>
As a result of that, SPKI/SDSI is deployed primarily in closed solutions and in demonstration projects of academic interest.  Another side-effect of this design element is that it is difficult to monetize SPKI/SDSI by itself.{{Citation needed|date=June 2017}}  It can be a component of some other product, but there is no business case for developing SPKI/SDSI tools and services except as part of some other product.

The most prominent general deployments of SPKI/SDSI are E-speak, a middleware product from [[Hewlett-Packard|HP]] that used SPKI/SDSI for access control of web methods, and [[UPnP]] Security, that uses an XML dialect of SPKI/SDSI{{Citation needed|date=October 2015}} for access control of web methods, delegation of rights among network participants, etc.

== See also ==
* [[SPKAC]]

== Notes ==
{{reflist}}

== External links ==
* [http://world.std.com/~cme/html/spki.html SPKI homepage],
* [http://jsdsi.sf.net JSDSI (open source development effort)]
* [http://sourceforge.net/projects/cdsa CDSA (open source development effort)].

{{DEFAULTSORT:Simple Public Key Infrastructure}}
<!-- Categories -->
[[Category:Key management]]