IETF Logo Mail Archive

RE: draft-turner-caclearanceconstraints-01.txt

Stefan Santesson <stefans@microsoft.com> Sat, 25 October 2008 02:29 UTC

Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C9E2B3A6896 for <ietfarch-pkix-archive@core3.amsl.com>; Fri, 24 Oct 2008 19:29:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.565
X-Spam-Level:
X-Spam-Status: No, score=-10.565 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MCNOgZDr3h8v for <ietfarch-pkix-archive@core3.amsl.com>; Fri, 24 Oct 2008 19:29:34 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 7424A3A679F for <pkix-archive@ietf.org>; Fri, 24 Oct 2008 19:29:33 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9P20un0043879 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 24 Oct 2008 19:00:56 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9P20udC043878; Fri, 24 Oct 2008 19:00:56 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-dub.microsoft.com (smtp-dub.microsoft.com [213.199.138.191]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9P20hrp043850 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for <ietf-pkix@imc.org>; Fri, 24 Oct 2008 19:00:55 -0700 (MST) (envelope-from stefans@microsoft.com)
Received: from DUB-EXHUB-C301.europe.corp.microsoft.com (65.53.213.91) by DUB-EXGWY-E801.partners.extranet.microsoft.com (10.251.129.1) with Microsoft SMTP Server (TLS) id 8.1.291.1; Sat, 25 Oct 2008 03:00:43 +0100
Received: from EA-EXMSG-C332.europe.corp.microsoft.com ([169.254.2.235]) by DUB-EXHUB-C301.europe.corp.microsoft.com ([65.53.213.91]) with mapi; Sat, 25 Oct 2008 03:00:42 +0100
From: Stefan Santesson <stefans@microsoft.com>
To: Santosh Chokhani <SChokhani@cygnacom.com>, "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Date: Sat, 25 Oct 2008 03:00:41 +0100
Subject: RE: draft-turner-caclearanceconstraints-01.txt
Thread-Topic: draft-turner-caclearanceconstraints-01.txt
Thread-Index: Ack127PEa97rVbqZSeqU5dnzEIHPFAAAFzigAADFPLAAGSvgQA==
Message-ID: <9F11911AED01D24BAA1C2355723C3D32195A6F405B@EA-EXMSG-C332.europe.corp.microsoft.com>
References: <p0624051bc5098b483ca0@[128.89.89.71]> <9F11911AED01D24BAA1C2355723C3D3218DDA55C66@EA-EXMSG-C332.europe.corp.microsoft.com> <FAD1CF17F2A45B43ADE04E140BA83D487A42B0@scygexch1.cygnacom.com> <48F35523.7000409@mitre.org> <FAD1CF17F2A45B43ADE04E140BA83D487A42FD@scygexch1.cygnacom.com> <D1165D0004A74F2EB89FD9FFC0606D31@Wylie> <9F11911AED01D24BAA1C2355723C3D3218DDC3E0B3@EA-EXMSG-C332.europe.corp.microsoft.com> <200810231420.m9NEKWMC012409@balder-227.proper.com> <4901CC2E.5020607@mitre.org> <9F11911AED01D24BAA1C2355723C3D32195A6F3E3E@EA-EXMSG-C332.europe.corp.microsoft.com> <FAD1CF17F2A45B43ADE04E140BA83D487A492B@scygexch1.cygnacom.com>
In-Reply-To: <FAD1CF17F2A45B43ADE04E140BA83D487A492B@scygexch1.cygnacom.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

Santosh,

What you suggest comes closer to the exercise I think need to be done before we decide what to do with this.

To standardize constraints with undefined processing rules feels to me like wanting to have one's cake and eat it too.
I think it is absolutely necessary to limit the logic so that an implementation can process any legal data within it. Otherwise the basic idea with having a standard seems a bit lost.

Now, processing all data does not mean that you know the meaning of all data, but at least you should be able to process it and hand it over to the next layer.

I would also like to have some rationales clarified, but I will ask for that in a separate thread.


Stefan Santesson
Senior Program Manager
Windows Security, Standards


> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org] On Behalf Of Santosh Chokhani
> Sent: den 24 oktober 2008 15:52
> To: ietf-pkix@imc.org
> Subject: RE: draft-turner-caclearanceconstraints-01.txt
>
>
> Stefan,
>
> As stated in other strands of this thread, this will be handled by
> enhancing the I-D for a specific set of syntaxes of security categories
> or by deprecating the security categories from the clearance
> constraints.  The latter can obviate the need for taking the
> intersection of security categories.
>
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> pkix@mail.imc.org]
> On Behalf Of Stefan Santesson
> Sent: Friday, October 24, 2008 9:27 AM
> To: Timothy J. Miller; Russ Housley
> Cc: ietf-pkix@imc.org
> Subject: RE: draft-turner-caclearanceconstraints-01.txt
>
>
> Thanks for putting such good words to it :)
>
> Yes, that sounds very much like what I meant.
>
> Stefan Santesson
> Senior Program Manager
> Windows Security, Standards
>
>
> > -----Original Message-----
> > From: Timothy J. Miller [mailto:tmiller@mitre.org]
> > Sent: den 24 oktober 2008 15:23
> > To: Russ Housley
> > Cc: Stefan Santesson; ietf-pkix@imc.org
> > Subject: Re: draft-turner-caclearanceconstraints-01.txt
> >
> > Russ Housley wrote:
> >
> > > Where does the document say anything about mapping between security
> > > policies?
> >
> > I don't think that's what he means.  I think what he's driving at is:
> > how does a single vendor writing a single chaining library do it such
> > that the code works under any arbitrary intersection logic the end
> user
> > may specify?
> >
> > Did I get that right, Stefan?
> >
> > -- Tim
>

v2.23.0 | Report a Bug | By Email