IETF Logo Mail Archive

RE: draft-turner-caclearanceconstraints-01.txt

Tom Gindin <tgindin@us.ibm.com> Wed, 29 October 2008 00:44 UTC

Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 67CC53A6A17 for <ietfarch-pkix-archive@core3.amsl.com>; Tue, 28 Oct 2008 17:44:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OoWbuUuwr+hk for <ietfarch-pkix-archive@core3.amsl.com>; Tue, 28 Oct 2008 17:44:54 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id C82E53A67AD for <pkix-archive@ietf.org>; Tue, 28 Oct 2008 17:44:53 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9T0EoKH095537 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 28 Oct 2008 17:14:51 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9T0Eo67095536; Tue, 28 Oct 2008 17:14:50 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from e8.ny.us.ibm.com (e8.ny.us.ibm.com [32.97.182.138]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9T0Ed9M095500 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-pkix@imc.org>; Tue, 28 Oct 2008 17:14:50 -0700 (MST) (envelope-from tgindin@us.ibm.com)
Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by e8.ny.us.ibm.com (8.13.1/8.13.1) with ESMTP id m9T0BCCU024481 for <ietf-pkix@imc.org>; Tue, 28 Oct 2008 20:11:12 -0400
Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay04.pok.ibm.com (8.13.8/8.13.8/NCO v9.1) with ESMTP id m9T0Ec0r119842 for <ietf-pkix@imc.org>; Tue, 28 Oct 2008 20:14:38 -0400
Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id m9T0EbjY003993 for <ietf-pkix@imc.org>; Tue, 28 Oct 2008 20:14:37 -0400
Received: from d01ml062.pok.ibm.com (d01ml062.pok.ibm.com [9.56.228.115]) by d01av04.pok.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id m9T0Ebab003987; Tue, 28 Oct 2008 20:14:37 -0400
In-Reply-To: <9F11911AED01D24BAA1C2355723C3D32195A6F405B@EA-EXMSG-C332.europe.corp.microsoft.com>
To: Stefan Santesson <stefans@microsoft.com>
Cc: "ietf-pkix@imc.org" <ietf-pkix@imc.org>, Santosh Chokhani <SChokhani@cygnacom.com>
MIME-Version: 1.0
Subject: RE: draft-turner-caclearanceconstraints-01.txt
X-Mailer: Lotus Notes Release 7.0 HF277 June 21, 2006
From: Tom Gindin <tgindin@us.ibm.com>
Message-ID: <OFCEC5B850.4DC7EA3F-ON852574EF.007144F5-852574F1.0001567B@us.ibm.com>
Date: Tue, 28 Oct 2008 20:14:36 -0400
X-MIMETrack: Serialize by Router on D01ML062/01/M/IBM(Release 8.0.1|February 07, 2008) at 10/28/2008 20:14:37, Serialize complete at 10/28/2008 20:14:37
Content-Type: text/plain; charset="US-ASCII"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

        Stefan, Santosh:

        I would like to put forward a set of processing rules which might 
actually be implementable for the "intersection" problem here:
A)      The intersection of two SecurityCategory entries with different 
SecurityCategory.Type is empty
B)      The intersection of two SecurityCategory entries with the same 
Type and Value is an entry with that Type and Value
C)      Any relying party unfamiliar with a given SecurityCategory.Type 
SHOULD treat the intersection of two SecurityCategory entries with that 
Type and different Value as being empty
D)      A relying party familiar with a given SecurityCategory.Type MAY 
process the intersection of two SecurityCategory entries with that Type 
and different Value according to customized rules for that type
        One customized type which I would suggest is "prefixable OID". The 
intersection of two values of this type is the longer of the two if the 
shorter one is its leading binary substring, and is empty otherwise.

                Tom Gindin





Stefan Santesson <stefans@microsoft.com> 
Sent by: owner-ietf-pkix@mail.imc.org
10/24/2008 10:00 PM

To
Santosh Chokhani <SChokhani@cygnacom.com>, "ietf-pkix@imc.org" 
<ietf-pkix@imc.org>
cc

Subject
RE: draft-turner-caclearanceconstraints-01.txt







Santosh,

What you suggest comes closer to the exercise I think need to be done 
before we decide what to do with this.

To standardize constraints with undefined processing rules feels to me 
like wanting to have one's cake and eat it too.
I think it is absolutely necessary to limit the logic so that an 
implementation can process any legal data within it. Otherwise the basic 
idea with having a standard seems a bit lost.

Now, processing all data does not mean that you know the meaning of all 
data, but at least you should be able to process it and hand it over to 
the next layer.

I would also like to have some rationales clarified, but I will ask for 
that in a separate thread.


Stefan Santesson
Senior Program Manager
Windows Security, Standards


> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org] On Behalf Of Santosh Chokhani
> Sent: den 24 oktober 2008 15:52
> To: ietf-pkix@imc.org
> Subject: RE: draft-turner-caclearanceconstraints-01.txt
>
>
> Stefan,
>
> As stated in other strands of this thread, this will be handled by
> enhancing the I-D for a specific set of syntaxes of security categories
> or by deprecating the security categories from the clearance
> constraints.  The latter can obviate the need for taking the
> intersection of security categories.
>
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org]
> On Behalf Of Stefan Santesson
> Sent: Friday, October 24, 2008 9:27 AM
> To: Timothy J. Miller; Russ Housley
> Cc: ietf-pkix@imc.org
> Subject: RE: draft-turner-caclearanceconstraints-01.txt
>
>
> Thanks for putting such good words to it :)
>
> Yes, that sounds very much like what I meant.
>
> Stefan Santesson
> Senior Program Manager
> Windows Security, Standards
>
>
> > -----Original Message-----
> > From: Timothy J. Miller [mailto:tmiller@mitre.org]
> > Sent: den 24 oktober 2008 15:23
> > To: Russ Housley
> > Cc: Stefan Santesson; ietf-pkix@imc.org
> > Subject: Re: draft-turner-caclearanceconstraints-01.txt
> >
> > Russ Housley wrote:
> >
> > > Where does the document say anything about mapping between security
> > > policies?
> >
> > I don't think that's what he means.  I think what he's driving at is:
> > how does a single vendor writing a single chaining library do it such
> > that the code works under any arbitrary intersection logic the end
> user
> > may specify?
> >
> > Did I get that right, Stefan?
> >
> > -- Tim
>

v2.23.0 | Report a Bug | By Email