by mail.netbsd.org with SMTP; 18 Oct 2000 14:20:32 -0000
	id 6072B2A2A; Wed, 18 Oct 2000 10:20:31 -0400 (EDT)
	by orchard.arlington.ma.us (Postfix) with ESMTP
	id 4F46B1FCD; Wed, 18 Oct 2000 10:20:31 -0400 (EDT)
To: Andrew Brown <atatat@atatdot.net>
Cc: Atsushi Onoe <onoe@sm.sony.co.jp>, cjs@cynic.net,
	hubert.feyrer@informatik.fh-regensburg.de, tech-security@netbsd.org
Subject: Re: setuid ssh 
In-Reply-To: Message from Andrew Brown <atatat@atatdot.net> 
   of "Wed, 18 Oct 2000 10:13:40 EDT." <20001018101339.A29982@noc.untraceable.net> 
Reply-To: sommerfeld@orchard.arlington.ma.us
Date: Wed, 18 Oct 2000 10:20:25 -0400
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Message-Id: <20001018142031.6072B2A2A@orchard.arlington.ma.us>

> a mini-certificate?  it could just be a time_t, yes?  appended to the
> key before hashing for signing, and then kept with it.  or am i again
> simply restating what you said?

Yes.

In general terms, a certificate is a signed statement by a certifying
authority saying that some set of attributes are attached to a key.

In this case, the certifying authority is the entity in control of the
long-term key, and the "attributes" include the expiration time (and
probably also the user identity);

X.509 defines one kind of certificate; SPKI defines another; dnssec
signatures are another kind; pgp has its own certificate structure...

					- Bill