Secure Distributed Security Infrastructure (SDSI)

SDSI is a new design for a public-key infrastructure, designed by Professors Ronald L. Rivest and Butler Lampson of MIT's Laboratory for Computer Science, members of LCS's Cryptography and Information Security research group.

SDSI research at MIT is supported by DARPA contract DABT63-96-C-0018, "Security for Distributed Computer Systems", and by NASA.

SDSI Status

SDSI 1.0

SDSI 1.0 has been designed (see references below). A prototype implementation by Matt Fredette and Gillian Elcock is underway. An initial version of a SDSI server is operational. The user interface has been designed and a protoype has been implemented, which is described in the thesis A Web-Based User Interface for SDSI. Another SDSI 1.0 implementation by Wei Dai has been almost entirely completed.

SDSI 1.1

A redesign of SDSI, to yield SDSI version 1.1 is underway. The documentation (see references below) lags behind the actual design work considerably; stay tuned for more details... The goals are to simplify the design still further, and to merge the design with Carl Ellison's SPKI work.

SDSI 2.0

This design represents the merger of SDSI and SPKI. It has a unified treatment of certificates, a coherent treatment of names (both for individuals and for groups), an algebra of "tags" for describing permissions and attributes, and a flexible means of denoting cryptographic keys.

A SDSI/SPKI 2.0 software distribution, including crypto code, is now openly available. The current release is 0.4.5. Click here for the distribution form.

Problems with the above link? Send me mail.

The Java implementation of SDSI/SPKI 2.0 is now available online.

References and Documentation

There is an archive of the SPKI/SDSI mailing group discussions here.

[Version 1.0]

(HTML)

(Postscript)

(Latex source)

(PowerPoint 4.0 slides for USENIX 96 presentation)

(PowerPoint 4.0 slides for RSA Laboratories Colloquia 96 presentation)

(PowerPoint 7.0 slides for CRYPTO 96 presentation)

[Version 1.1]

• (HTML)

[Version 2.0]

• (PowerPoint slides for Maryland Theoretical Computer Science Day 4/11/97)
• (Documentation for the SDSI 2.0 Library and Tools)
• Martin Abadi's paper, On SDSI's linked local name spaces. (J. Computer Security 6(1998),3-21.)
• Gilian Elcock's Master's thesis, Web-based user interface for a Simple Distributed Security Infrastructure (SDSI) (June 1997).
• Jean-Emile Elien's Master's thesis, Certificate discovery using SPKI/SDSI 2.0 certificates. (May 1998).
• Carl Ellison's page, SPKI/SDSI Certificate Documentation
• Carl Ellison's RFC 2692: SPKI Requirements (September 1999).
• Carl Ellison et al.'s RFC 2693: SPKI Certificate Theory (September 1999).
• Carl Ellison et al.'s Simple Public Key Certificate (March 1998).
• Carl Ellison et al.'s SPKI Examples (March 1998).
• Matt Fredette's Master's thesis, An implementation of SDSI--the Simple Distributed Security Infrastructure (May 1997).
• IETF SPKI Working Group Charter (1997).
• Alexander Morcos's Master's thesis, A Java implementation of Simple Distributed Security Infrastructure (May 1998).
• New certificate chain representation.
• Ron Rivest's S-expression page and code.
• Certficate Chain Discovery in SPKI/SDSI
by Dwaine Clarke, Jean-Emile Elien, Carl Ellison, Matt Fredette, Alexander Morcos, and Ronald L. Rivest.
Draft of November 1999. postscript
• Andrew Maywah's Master's thesis, An Implementation of a Secure Web Client Using SPKI/SDSI Certificates (June 2000).

Dwaine Clarke's Master's thesis, SPKI/SDSI HTTP Server / Certificate Chain Discovery in SPKI/SDSI (September 2001).