A library implementing the Simple Public Key Infrastructure
libspki a library for operations on SPKI certificates, ACL:s, and
access and authorization decisions. The library is work in progress,
it's not terribly useful yet. Some of the design:
- Keep things simple. Do one thing, well.
- Start with the most crucial parts, certificates with only
"principal" subjects. Names and thresholds are secondary.
- Make it a nice friendly C library, without global state, with
configurable memory allocation, etc.
- Provide friendly command line tools, both for interactive use and
SPKI is a way to think about certificates that makes a lot more sense
then the popular X.500 and X.509 standards. The emphasis is on
authorization, delegation and capabilities, rather than on names. See
RFC 2693 and Carl
Ellison's SPKI page for more informaton.
As of 2003-03-10, the code is reasonably solid, and the most important
things are implemented. Parsing of keys, certificates and ACL:s.
Verification and creation of signatures. The "5-tuple reduction"
machinery is in place. There are some basic tools for creating
certificates. There are no special key generation tools, but you can
use lsh's. It's fairly small, about 7000 lines of C.
The interfaces, both for the library and the command line tools, are
functional but subject to change and improvements. There's
unfortunately not much documentation, the README
file provides an introduction, after that you have to read the source.
There are two other SPKI implementations I'm aware of: Intel's CDSA, which is a pretty
big and does a lot more than just SPKI, and JSDSI, a Java
library by Sameer Ajmani.
The first application that will use libspki is LSH, my ssh-2
implementation. I've planned adding real spki support for years, as a
good way both for delegating restricted access, and for certifying
hostkeys (which is usually the weakest link in all use of ssh).
libspki uses the
Nettle cryptographic library for the few cryptographic operations
that are needed. Nettle, in turn, uses GMP, the GNU bignum library, for
The CVS repository is located at cvs.lysator.liu.se.
Beware that the build system is not perfect, in particular it expects
to find Nettle as "../nettle" from both source and build trees, the
same way things are arranged if you check out all the complete lsh
source code. The easiest way to try it out is to use
cvs -d :pserver:email@example.com:/cvsroot/lsh co lsh
The important parts here are the src/nettle and