IETF Logo Mail Archive

RE: draft-turner-caclearanceconstraints-01.txt

"Santosh Chokhani" <SChokhani@cygnacom.com> Fri, 24 October 2008 16:10 UTC

Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 834843A69B9 for <ietfarch-pkix-archive@core3.amsl.com>; Fri, 24 Oct 2008 09:10:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.469
X-Spam-Level:
X-Spam-Status: No, score=-1.469 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 38K45zLTVtRo for <ietfarch-pkix-archive@core3.amsl.com>; Fri, 24 Oct 2008 09:10:45 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 1AD563A6995 for <pkix-archive@ietf.org>; Fri, 24 Oct 2008 09:10:44 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9OFOhcX005199 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 24 Oct 2008 08:24:43 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9OFOhfM005198; Fri, 24 Oct 2008 08:24:43 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by balder-227.proper.com (8.14.2/8.14.2) with SMTP id m9OFOVLD005172 for <ietf-pkix@imc.org>; Fri, 24 Oct 2008 08:24:42 -0700 (MST) (envelope-from SChokhani@cygnacom.com)
Received: (qmail 7104 invoked from network); 24 Oct 2008 15:10:56 -0000
Received: from SChokhani@cygnacom.com by scygmxsecs1.cygnacom.com with EntrustECS-Server-7.4; 24 Oct 2008 15:10:56 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 24 Oct 2008 15:10:56 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: draft-turner-caclearanceconstraints-01.txt
Date: Fri, 24 Oct 2008 11:24:30 -0400
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D487A4950@scygexch1.cygnacom.com>
In-Reply-To: <4901E577.5010604@mitre.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-turner-caclearanceconstraints-01.txt
Thread-Index: Ack16rSnQI1hy8obQ7mmcfFhmjilwAAACOXg
References: <p0624051bc5098b483ca0@[128.89.89.71]> <9F11911AED01D24BAA1C2355723C3D3218DDA55C66@EA-EXMSG-C332.europe.corp.microsoft.com> <FAD1CF17F2A45B43ADE04E140BA83D487A42B0@scygexch1.cygnacom.com> <48F35523.7000409@mitre.org> <FAD1CF17F2A45B43ADE04E140BA83D487A42FD@scygexch1.cygnacom.com> <D1165D0004A74F2EB89FD9FFC0606D31@Wylie> <9F11911AED01D24BAA1C2355723C3D3218DDC3E0B3@EA-EXMSG-C332.europe.corp.microsoft.com> <200810231420.m9NEKWMC012409@balder-227.proper.com> <4901CC2E.5020607@mitre.org> <9F11911AED01D24BAA1C2355723C3D32195A6F3E3E@EA-EXMSG-C332.europe.corp.microsoft.com> <FAD1CF17F2A45B43ADE04E140BA83D487A492B@scygexch1.cygnacom.com> <4901E577.5010604@mitre.org>
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: ietf-pkix@imc.org
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

Tim,

An example of ANY is Algorithm Identifier which appears in Signature,
SIGNED MACRO, and SPKI.

So, there is a precedence for it.

I was hoping to define 2-3 specific structures: An existing one in use;
one we all agree on if this I-D is adopted as work item; and an optional
one that may be useful to what folks ate doing for NFS.  2 and 3 could
be combined. 

For deprecation approaches, see my post from Thursday October 23 from a
strand on this thread.

-----Original Message-----
From: Timothy J. Miller [mailto:tmiller@mitre.org] 
Sent: Friday, October 24, 2008 11:11 AM
To: Santosh Chokhani
Cc: ietf-pkix@imc.org
Subject: Re: draft-turner-caclearanceconstraints-01.txt

Santosh Chokhani wrote:

> As stated in other strands of this thread, this will be handled by
> enhancing the I-D for a specific set of syntaxes of security
categories
> or by deprecating the security categories from the clearance
> constraints.  The latter can obviate the need for taking the
> intersection of security categories.

IMHO, picking a couple of examples for category intersection doesn't 
solve the problem for coders, and might well be taken as implying that 
the examples are the only possibilities.

If these are the two options then I'd vote for going beyond deprecation 
and define clearance constraints *only* for sensitivity.  The constraint

algorithm then becomes the much simpler task of finding the minimum 
value of classList in the chain.

-- Tim

v2.23.0 | Report a Bug | By Email