RE: draft-turner-caclearanceconstraints-01.txt
Russ Housley <housley@vigilsec.com> Thu, 23 October 2008 14:49 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7BB0F3A696E for <ietfarch-pkix-archive@core3.amsl.com>; Thu, 23 Oct 2008 07:49:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.09
X-Spam-Level:
X-Spam-Status: No, score=-102.09 tagged_above=-999 required=5 tests=[AWL=-0.294, BAYES_00=-2.599, MSGID_FROM_MTA_HEADER=0.803, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i54za5UjJXVS for <ietfarch-pkix-archive@core3.amsl.com>; Thu, 23 Oct 2008 07:49:31 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 0C6093A68D1 for <pkix-archive@ietf.org>; Thu, 23 Oct 2008 07:49:30 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9NEKheD012436 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 23 Oct 2008 07:20:43 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9NEKh6h012435; Thu, 23 Oct 2008 07:20:43 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [8.8.40.152]) by balder-227.proper.com (8.14.2/8.14.2) with SMTP id m9NEKWMC012409 for <ietf-pkix@imc.org>; Thu, 23 Oct 2008 07:20:42 -0700 (MST) (envelope-from housley@vigilsec.com)
Message-Id: <200810231420.m9NEKWMC012409@balder-227.proper.com>
Received: (qmail 8057 invoked by uid 0); 23 Oct 2008 14:20:28 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (96.255.145.18) by woodstock.binhost.com with SMTP; 23 Oct 2008 14:20:28 -0000
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 23 Oct 2008 10:20:20 -0400
To: Stefan Santesson <stefans@microsoft.com>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft-turner-caclearanceconstraints-01.txt
Cc: ietf-pkix@imc.org
In-Reply-To: <9F11911AED01D24BAA1C2355723C3D3218DDC3E0B3@EA-EXMSG-C332.e urope.corp.microsoft.com>
References: <p0624051bc5098b483ca0@[128.89.89.71]> <9F11911AED01D24BAA1C2355723C3D3218DDA55C66@EA-EXMSG-C332.europe.corp.microsoft.com> <FAD1CF17F2A45B43ADE04E140BA83D487A42B0@scygexch1.cygnacom.com> <48F35523.7000409@mitre.org> <FAD1CF17F2A45B43ADE04E140BA83D487A42FD@scygexch1.cygnacom.com> <D1165D0004A74F2EB89FD9FFC0606D31@Wylie> <9F11911AED01D24BAA1C2355723C3D3218DDC3E0B3@EA-EXMSG-C332.europe.corp.microsoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Stefan: Where does the document say anything about mapping between security policies? Russ At 10:40 AM 10/22/2008, Stefan Santesson wrote: >The major problem I have is that there is no set logic for the >constraints processing. > >I have been told that there are current implementations of this and >that this fact itself should prove that it is implementable. >It is however my strong guess that current implementations work only >because they assume no difference in calculating intersections of >SecurityCategories for different known PolicyIDs. > >The problem comes when someone introduce a PolicyID which defines a >different intersection logic or order of classes. >The only way I can accept that Policy ID is to write new code. > >There is a huge difference between allowing inclusion of different >policy OIDs, than to allow then to define individual path processing logic. > >Just imagine if every certificate policy OID was allowed to specify >individual mapping logic (Like policy A is equal to policy B,C and >D), and then expect the path processing code to learn the mapping >logic for each and every Policy OID. > >I don't think anyone would consider that a good architecture and >protocol design to standardize. >But as far as I read it, this is precisely what the current CA >clearance constraints proposal wants us to do. > > > > >Stefan Santesson >Senior Program Manager >Windows Security, Standards > > > -----Original Message----- > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf- > > pkix@mail.imc.org] On Behalf Of Turner, Sean P. > > Sent: den 14 oktober 2008 14:59 > > To: 'Santosh Chokhani'; 'Timothy J. Miller'; 'Carl Wallace' > > Cc: ietf-pkix@imc.org > > Subject: RE: draft-turner-caclearanceconstraints-01.txt > > > > > > > > I just wanted to add that the ID does not address relationships between > > security policies. It only addresses whether the EE's asserted > > clearance is > > within the issuer's allowed clearance set. > > > > spt > > > > -----Original Message----- > > From: owner-ietf-pkix@mail.imc.org > > [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Santosh Chokhani > > Sent: Monday, October 13, 2008 10:33 AM > > To: Timothy J. Miller; Carl Wallace > > Cc: ietf-pkix@imc.org > > Subject: RE: draft-turner-caclearanceconstraints-01.txt > > > > > > Differences in various policies are articulated using the > > security policy OID in the clearance structure that has been > > accepted by the Internet Standards Community. > > > > In addition, clearance is a well defined mathematical concept > > and formalized using lattice structure. Within a security > > policy, Clearance consists of a hierarchical sensitivity level > > and non-hierarchical category set. Two clearances within a > > security can be ordered or can be incomparable based on simple > > and well-defines mathematical rules. > > > > People in other parts of IETF are using these concepts to label > > the data and make information flow decisions. > > > > Some pioneering work has been done in the technical community > > (albeit not exposed to the IETF) in the area of comparing > > clearances of two security policies. > > > > -----Original Message----- > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf- > > pkix@mail.imc.org] > > On Behalf Of Timothy J. Miller > > Sent: Monday, October 13, 2008 10:03 AM > > To: Carl Wallace > > Cc: ietf-pkix@imc.org > > Subject: Re: draft-turner-caclearanceconstraints-01.txt > > > > Carl Wallace wrote: > > > I vote yes to adopting this as a PKIX work item. Specification > > details > > > can be resolved after the draft is accepted as a working group draft. > > > > Can we even say for certain that clearance is a consistent > > enough concept within and across jurisdictions to enable a > > single logic for constraint processing? I'd argue not. > > > > E.g., RFC3281 talks about "the" basic clearance hierarchy, which > > doesn't > > > > even exist. What's the relationship between NATO CONFIDENTIAL > > and US UNCLASSIFIED CONTROLLED INFORMATION? How about US UCI > > and US FOR OFFICIAL USE ONLY? US SECRET/NOFOREIGN? US TS/SCI > > and TS/SAP? And that's without even getting into the obscure > > corners of the US alone. > > > > What I'm trying to say is that classification is *not* a strict > > hierarchy. It's semi-structured. We have trouble enough > > figuring this stuff out in the real world without having to > > write code for it. :) > > > > Presuming I have a vote, I vote no. > > > > -- Tim > >
- draft-turner-caclearanceconstraints-01.txt Stephen Kent
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Reddy, Raksha Patel
- RE: draft-turner-caclearanceconstraints-01.txt Russ Housley
- Re: draft-turner-caclearanceconstraints-01.txt Kurt Zeilenga
- RE: draft-turner-caclearanceconstraints-01.txt Ashmore, Samuel R.
- Re: draft-turner-caclearanceconstraints-01.txt Stephen Farrell
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Denis Pinkas
- Re: draft-turner-caclearanceconstraints-01.txt Yoav Nir
- What are certificates fundamentally all about? [w… Stephen Wilson
- RE: draft-turner-caclearanceconstraints-01.txt Carl Wallace
- Re: What are certificates fundamentally all about… Timothy J. Miller
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: What are certificates fundamentally all about… Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: What are certificates fundamentally all about… Stephen Wilson
- Re: What are certificates fundamentally all about… Stephen Kent
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Russ Housley
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin