IETF Logo Mail Archive

RE: draft-turner-caclearanceconstraints-01.txt

"Santosh Chokhani" <SChokhani@cygnacom.com> Mon, 13 October 2008 14:57 UTC

Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C2F6B3A69CD for <ietfarch-pkix-archive@core3.amsl.com>; Mon, 13 Oct 2008 07:57:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.469
X-Spam-Level:
X-Spam-Status: No, score=-1.469 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kjexZpJJFKRZ for <ietfarch-pkix-archive@core3.amsl.com>; Mon, 13 Oct 2008 07:57:06 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 6F2A33A68AC for <pkix-archive@ietf.org>; Mon, 13 Oct 2008 07:57:05 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9DEWi8a002308 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 13 Oct 2008 07:32:44 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9DEWix3002307; Mon, 13 Oct 2008 07:32:44 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by balder-227.proper.com (8.14.2/8.14.2) with SMTP id m9DEWhK4002301 for <ietf-pkix@imc.org>; Mon, 13 Oct 2008 07:32:43 -0700 (MST) (envelope-from SChokhani@cygnacom.com)
Received: (qmail 6060 invoked from network); 13 Oct 2008 14:19:24 -0000
Received: from SChokhani@cygnacom.com by scygmxsecs1.cygnacom.com with EntrustECS-Server-7.4; 13 Oct 2008 14:19:24 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 13 Oct 2008 14:19:23 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: draft-turner-caclearanceconstraints-01.txt
Date: Mon, 13 Oct 2008 10:32:41 -0400
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D487A42FD@scygexch1.cygnacom.com>
In-Reply-To: <48F35523.7000409@mitre.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-turner-caclearanceconstraints-01.txt
Thread-Index: AcktPo1xbBGJg+IZTZOD+0tgp11GwAAAKwnQ
References: <p0624051bc5098b483ca0@[128.89.89.71]> <9F11911AED01D24BAA1C2355723C3D3218DDA55C66@EA-EXMSG-C332.europe.corp.microsoft.com> <FAD1CF17F2A45B43ADE04E140BA83D487A42B0@scygexch1.cygnacom.com> <48F35523.7000409@mitre.org>
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: "Timothy J. Miller" <tmiller@mitre.org>, Carl Wallace <CWallace@cygnacom.com>
Cc: ietf-pkix@imc.org
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

Differences in various policies are articulated using the security
policy OID in the clearance structure that has been accepted by the
Internet Standards Community.

In addition, clearance is a well defined mathematical concept and
formalized using lattice structure.  Within a security policy, Clearance
consists of a hierarchical sensitivity level and non-hierarchical
category set.  Two clearances within a security can be ordered or can be
incomparable based on simple and well-defines mathematical rules.

People in other parts of IETF are using these concepts to label the data
and make information flow decisions.

Some pioneering work has been done in the technical community (albeit
not exposed to the IETF) in the area of comparing clearances of two
security policies.

-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Timothy J. Miller
Sent: Monday, October 13, 2008 10:03 AM
To: Carl Wallace
Cc: ietf-pkix@imc.org
Subject: Re: draft-turner-caclearanceconstraints-01.txt

Carl Wallace wrote:
> I vote yes to adopting this as a PKIX work item.  Specification
details 
> can be resolved after the draft is accepted as a working group draft.

Can we even say for certain that clearance is a consistent enough 
concept within and across jurisdictions to enable a single logic for 
constraint processing?  I'd argue not.

E.g., RFC3281 talks about "the" basic clearance hierarchy, which doesn't

even exist.  What's the relationship between NATO CONFIDENTIAL and US 
UNCLASSIFIED CONTROLLED INFORMATION?  How about US UCI and US FOR 
OFFICIAL USE ONLY?  US SECRET/NOFOREIGN?  US TS/SCI and TS/SAP?  And 
that's without even getting into the obscure corners of the US alone.

What I'm trying to say is that classification is *not* a strict 
hierarchy.  It's semi-structured.  We have trouble enough figuring this 
stuff out in the real world without having to write code for it.  :)

Presuming I have a vote, I vote no.

-- Tim

v2.23.0 | Report a Bug | By Email