IETF Logo Mail Archive

RE: draft-turner-caclearanceconstraints-01.txt

"Turner, Sean P." <turners@ieca.com> Tue, 14 October 2008 13:34 UTC

Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 454CC3A6BB8 for <ietfarch-pkix-archive@core3.amsl.com>; Tue, 14 Oct 2008 06:34:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.54
X-Spam-Level:
X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h95DNDUZevGb for <ietfarch-pkix-archive@core3.amsl.com>; Tue, 14 Oct 2008 06:34:12 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 8EE3A3A67EA for <pkix-archive@ietf.org>; Tue, 14 Oct 2008 06:34:11 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9ECx9vM091877 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 14 Oct 2008 05:59:09 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9ECx97I091876; Tue, 14 Oct 2008 05:59:09 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp110.biz.mail.re2.yahoo.com (smtp110.biz.mail.re2.yahoo.com [206.190.53.9]) by balder-227.proper.com (8.14.2/8.14.2) with SMTP id m9ECwvDR091861 for <ietf-pkix@imc.org>; Tue, 14 Oct 2008 05:59:08 -0700 (MST) (envelope-from turners@ieca.com)
Received: (qmail 32347 invoked from network); 14 Oct 2008 12:58:57 -0000
Received: from unknown (HELO Wylie) (turners@71.191.14.55 with login) by smtp110.biz.mail.re2.yahoo.com with SMTP; 14 Oct 2008 12:58:56 -0000
X-YMail-OSG: 6jH76wcVM1njNJqsaEPFztL8keqS8gqnHA1Pk.2HjKFiyHko94g5BwEEgEIpHYHfbX.Q.ncztFV0zT.tigPzTnf2Ip5_q.6irilw5164lMYaTIAN3GMpExJbm5YPB23AdeQ0TqCjE5rU6AqpuxZ.kVLRCy3vegDMv7HrceZR9h1hGSYoAqd4ZHqSFNCbKQ--
X-Yahoo-Newman-Property: ymail-3
From: "Turner, Sean P." <turners@ieca.com>
To: 'Santosh Chokhani' <SChokhani@cygnacom.com>, "'Timothy J. Miller'" <tmiller@mitre.org>, 'Carl Wallace' <CWallace@cygnacom.com>
Cc: ietf-pkix@imc.org
References: <p0624051bc5098b483ca0@[128.89.89.71]> <9F11911AED01D24BAA1C2355723C3D3218DDA55C66@EA-EXMSG-C332.europe.corp.microsoft.com> <FAD1CF17F2A45B43ADE04E140BA83D487A42B0@scygexch1.cygnacom.com> <48F35523.7000409@mitre.org> <FAD1CF17F2A45B43ADE04E140BA83D487A42FD@scygexch1.cygnacom.com>
Subject: RE: draft-turner-caclearanceconstraints-01.txt
Date: Tue, 14 Oct 2008 08:58:36 -0400
Organization: IECA, Inc.
Message-ID: <D1165D0004A74F2EB89FD9FFC0606D31@Wylie>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Thread-Index: AcktPo1xbBGJg+IZTZOD+0tgp11GwAAAKwnQAC8iOcA=
In-Reply-To: <FAD1CF17F2A45B43ADE04E140BA83D487A42FD@scygexch1.cygnacom.com>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>


I just wanted to add that the ID does not address relationships between
security policies.  It only addresses whether the EE's asserted clearance is
within the issuer's allowed clearance set.

spt

-----Original Message-----
From: owner-ietf-pkix@mail.imc.org 
[mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Santosh Chokhani
Sent: Monday, October 13, 2008 10:33 AM
To: Timothy J. Miller; Carl Wallace
Cc: ietf-pkix@imc.org
Subject: RE: draft-turner-caclearanceconstraints-01.txt


Differences in various policies are articulated using the 
security policy OID in the clearance structure that has been 
accepted by the Internet Standards Community.

In addition, clearance is a well defined mathematical concept 
and formalized using lattice structure.  Within a security 
policy, Clearance consists of a hierarchical sensitivity level 
and non-hierarchical category set.  Two clearances within a 
security can be ordered or can be incomparable based on simple 
and well-defines mathematical rules.

People in other parts of IETF are using these concepts to label 
the data and make information flow decisions.

Some pioneering work has been done in the technical community 
(albeit not exposed to the IETF) in the area of comparing 
clearances of two security policies.

-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Timothy J. Miller
Sent: Monday, October 13, 2008 10:03 AM
To: Carl Wallace
Cc: ietf-pkix@imc.org
Subject: Re: draft-turner-caclearanceconstraints-01.txt

Carl Wallace wrote:
> I vote yes to adopting this as a PKIX work item.  Specification
details 
> can be resolved after the draft is accepted as a working group draft.

Can we even say for certain that clearance is a consistent 
enough concept within and across jurisdictions to enable a 
single logic for constraint processing?  I'd argue not.

E.g., RFC3281 talks about "the" basic clearance hierarchy, which doesn't

even exist.  What's the relationship between NATO CONFIDENTIAL 
and US UNCLASSIFIED CONTROLLED INFORMATION?  How about US UCI 
and US FOR OFFICIAL USE ONLY?  US SECRET/NOFOREIGN?  US TS/SCI 
and TS/SAP?  And that's without even getting into the obscure 
corners of the US alone.

What I'm trying to say is that classification is *not* a strict 
hierarchy.  It's semi-structured.  We have trouble enough 
figuring this stuff out in the real world without having to 
write code for it.  :)

Presuming I have a vote, I vote no.

-- Tim

v2.23.0 | Report a Bug | By Email