RE: draft-turner-caclearanceconstraints-01.txt
"Santosh Chokhani" <SChokhani@cygnacom.com> Thu, 23 October 2008 13:45 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 76A763A6935 for <ietfarch-pkix-archive@core3.amsl.com>; Thu, 23 Oct 2008 06:45:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.469
X-Spam-Level:
X-Spam-Status: No, score=-1.469 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VVO65jBDTmqk for <ietfarch-pkix-archive@core3.amsl.com>; Thu, 23 Oct 2008 06:45:30 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 0B1563A68E6 for <pkix-archive@ietf.org>; Thu, 23 Oct 2008 06:45:29 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9NDKR1i008553 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 23 Oct 2008 06:20:27 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9NDKRxE008552; Thu, 23 Oct 2008 06:20:27 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by balder-227.proper.com (8.14.2/8.14.2) with SMTP id m9NDKQrU008546 for <ietf-pkix@imc.org>; Thu, 23 Oct 2008 06:20:27 -0700 (MST) (envelope-from SChokhani@cygnacom.com)
Received: (qmail 26314 invoked from network); 23 Oct 2008 13:06:53 -0000
Received: from SChokhani@cygnacom.com by scygmxsecs1.cygnacom.com with EntrustECS-Server-7.4; 23 Oct 2008 13:06:53 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 23 Oct 2008 13:06:53 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: draft-turner-caclearanceconstraints-01.txt
Date: Thu, 23 Oct 2008 09:20:25 -0400
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D487A4867@scygexch1.cygnacom.com>
In-Reply-To: <9F11911AED01D24BAA1C2355723C3D32195A6F3728@EA-EXMSG-C332.europe.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-turner-caclearanceconstraints-01.txt
Thread-Index: AcktPo1xbBGJg+IZTZOD+0tgp11GwAAAKwnQAC8iOcABlZKT4AAD3NvgACVIDNAABsE5sA==
References: <p0624051bc5098b483ca0@[128.89.89.71]> <9F11911AED01D24BAA1C2355723C3D3218DDA55C66@EA-EXMSG-C332.europe.corp.microsoft.com> <FAD1CF17F2A45B43ADE04E140BA83D487A42B0@scygexch1.cygnacom.com> <48F35523.7000409@mitre.org> <FAD1CF17F2A45B43ADE04E140BA83D487A42FD@scygexch1.cygnacom.com> <D1165D0004A74F2EB89FD9FFC0606D31@Wylie> <9F11911AED01D24BAA1C2355723C3D3218DDC3E0B3@EA-EXMSG-C332.europe.corp.microsoft.com> <FAD1CF17F2A45B43ADE04E140BA83D487A47D0@scygexch1.cygnacom.com> <9F11911AED01D24BAA1C2355723C3D32195A6F3728@EA-EXMSG-C332.europe.corp.microsoft.com>
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: ietf-pkix@imc.org
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Stefan, I realize that a generic structure for security categories can not be implemented. I hope you see the point that without casting the security categories more concretely, I can not provide more detailed pseudo-code than saying that take a set theoretic intersection. If the work item is taken up, we would definitely look at option of casting the security categories structure concretely or giving couple of examples for different structures. -----Original Message----- From: Stefan Santesson [mailto:stefans@microsoft.com] Sent: Thursday, October 23, 2008 8:28 AM To: Santosh Chokhani; ietf-pkix@imc.org Subject: RE: draft-turner-caclearanceconstraints-01.txt Santosh, > One answer to your question will be that this can be sorted out during > the comment period. I have thought about that, but I would prefer not. The reason is that this is a fundamental aspect of the standard and I want to see that you can build a reasonable solution to a reasonable problem before I would support to standardize it. > > But, specific answer to your question is that in all cases logical > intersection of categories is computed. Specific details beyond that > will depend on how the categories are encoded. I don't understand what you mean here. The current specification makes clear that the intersection logic can change in any way for each Policy ID. There is no defined "default" logic and no way to tell if a PolicyID alters this logic. As such I can't write a code that can perform the fundamental intersection logic of the protocol. I would have to build a solution that allows every "user" to invoke custom code for every PolicyID. That to me is a too complex response to this problem, especially since I don't think this problem should be handled in certificates at all. And that if this would be done in certificates anyway, that we at least should skip the constraints logic. I miss the balance discussion. Writing a new standard comes with a cost. We are potentially confusing the community with another specification. We potentially promote making PKI more complex. We potentially promote Certificates to be the right place to carry clearance information. Just because something could be useful in some corner cases, does not make it the right thing to standardize. Stefan Santesson Senior Program Manager Windows Security, Standards > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf- > pkix@mail.imc.org] On Behalf Of Santosh Chokhani > Sent: den 22 oktober 2008 18:26 > To: ietf-pkix@imc.org > Subject: RE: draft-turner-caclearanceconstraints-01.txt > > > Stefan, > > One answer to your question will be that this can be sorted out during > the comment period. > > But, specific answer to your question is that in all cases logical > intersection of categories is computed. Specific details beyond that > will depend on how the categories are encoded. >
- draft-turner-caclearanceconstraints-01.txt Stephen Kent
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Reddy, Raksha Patel
- RE: draft-turner-caclearanceconstraints-01.txt Russ Housley
- Re: draft-turner-caclearanceconstraints-01.txt Kurt Zeilenga
- RE: draft-turner-caclearanceconstraints-01.txt Ashmore, Samuel R.
- Re: draft-turner-caclearanceconstraints-01.txt Stephen Farrell
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Denis Pinkas
- Re: draft-turner-caclearanceconstraints-01.txt Yoav Nir
- What are certificates fundamentally all about? [w… Stephen Wilson
- RE: draft-turner-caclearanceconstraints-01.txt Carl Wallace
- Re: What are certificates fundamentally all about… Timothy J. Miller
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: What are certificates fundamentally all about… Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: What are certificates fundamentally all about… Stephen Wilson
- Re: What are certificates fundamentally all about… Stephen Kent
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Russ Housley
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin