IETF Logo Mail Archive

Re: draft-turner-caclearanceconstraints-01.txt

"Timothy J. Miller" <tmiller@mitre.org> Fri, 24 October 2008 15:39 UTC

Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F253F3A6B33 for <ietfarch-pkix-archive@core3.amsl.com>; Fri, 24 Oct 2008 08:39:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sVKE0ePSdA50 for <ietfarch-pkix-archive@core3.amsl.com>; Fri, 24 Oct 2008 08:39:49 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 66E673A6832 for <pkix-archive@ietf.org>; Fri, 24 Oct 2008 08:39:48 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9OFAqDv004293 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 24 Oct 2008 08:10:52 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9OFAqhx004292; Fri, 24 Oct 2008 08:10:52 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9OFAoZd004284 for <ietf-pkix@imc.org>; Fri, 24 Oct 2008 08:10:51 -0700 (MST) (envelope-from tmiller@mitre.org)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id m9OFAora014450 for <ietf-pkix@imc.org>; Fri, 24 Oct 2008 11:10:50 -0400
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id m9OFAod4014445; Fri, 24 Oct 2008 11:10:50 -0400
Received: from [129.83.200.3] (129.83.200.3) by imchub1.MITRE.ORG (129.83.29.73) with Microsoft SMTP Server (TLS) id 8.1.311.2; Fri, 24 Oct 2008 11:10:50 -0400
Message-ID: <4901E577.5010604@mitre.org>
Date: Fri, 24 Oct 2008 10:10:47 -0500
From: "Timothy J. Miller" <tmiller@mitre.org>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: Santosh Chokhani <SChokhani@cygnacom.com>
CC: ietf-pkix@imc.org
Subject: Re: draft-turner-caclearanceconstraints-01.txt
References: <p0624051bc5098b483ca0@[128.89.89.71]> <9F11911AED01D24BAA1C2355723C3D3218DDA55C66@EA-EXMSG-C332.europe.corp.microsoft.com> <FAD1CF17F2A45B43ADE04E140BA83D487A42B0@scygexch1.cygnacom.com> <48F35523.7000409@mitre.org> <FAD1CF17F2A45B43ADE04E140BA83D487A42FD@scygexch1.cygnacom.com> <D1165D0004A74F2EB89FD9FFC0606D31@Wylie> <9F11911AED01D24BAA1C2355723C3D3218DDC3E0B3@EA-EXMSG-C332.europe.corp.microsoft.com> <200810231420.m9NEKWMC012409@balder-227.proper.com> <4901CC2E.5020607@mitre.org> <9F11911AED01D24BAA1C2355723C3D32195A6F3E3E@EA-EXMSG-C332.europe.corp.microsoft.com> <FAD1CF17F2A45B43ADE04E140BA83D487A492B@scygexch1.cygnacom.com>
In-Reply-To: <FAD1CF17F2A45B43ADE04E140BA83D487A492B@scygexch1.cygnacom.com>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms070705090500010204090909"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

Santosh Chokhani wrote:

> As stated in other strands of this thread, this will be handled by
> enhancing the I-D for a specific set of syntaxes of security categories
> or by deprecating the security categories from the clearance
> constraints.  The latter can obviate the need for taking the
> intersection of security categories.

IMHO, picking a couple of examples for category intersection doesn't 
solve the problem for coders, and might well be taken as implying that 
the examples are the only possibilities.

If these are the two options then I'd vote for going beyond deprecation 
and define clearance constraints *only* for sensitivity.  The constraint 
algorithm then becomes the much simpler task of finding the minimum 
value of classList in the chain.

-- Tim

v2.23.0 | Report a Bug | By Email