A key can delegate to a group the authority to sign certificates on behalf of the key. The delegation can be limited to certificates that match a template. Certificates can time out, and they can be reconfirmed by an on-line agent acting for the issuer.
SDSI is optimized for an on-line environment in which clients can interact with servers to learn what credentials are needed to satisfy a request, and can retrieve the needed credentials from other severs. In this environment the system is auto-configuring: there is no need to preload either clients or servers with anything other than their private keys and the definitions of their local name spaces.
For more information, see http://theory.lcs.mit.edu/~rivest/sdsi.ps