IETF Logo Mail Archive

RE: draft-turner-caclearanceconstraints-01.txt

Russ Housley <housley@vigilsec.com> Thu, 23 October 2008 14:49 UTC

Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7BB0F3A696E for <ietfarch-pkix-archive@core3.amsl.com>; Thu, 23 Oct 2008 07:49:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.09
X-Spam-Level:
X-Spam-Status: No, score=-102.09 tagged_above=-999 required=5 tests=[AWL=-0.294, BAYES_00=-2.599, MSGID_FROM_MTA_HEADER=0.803, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i54za5UjJXVS for <ietfarch-pkix-archive@core3.amsl.com>; Thu, 23 Oct 2008 07:49:31 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 0C6093A68D1 for <pkix-archive@ietf.org>; Thu, 23 Oct 2008 07:49:30 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9NEKheD012436 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 23 Oct 2008 07:20:43 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9NEKh6h012435; Thu, 23 Oct 2008 07:20:43 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from woodstock.binhost.com (woodstock.binhost.com [8.8.40.152]) by balder-227.proper.com (8.14.2/8.14.2) with SMTP id m9NEKWMC012409 for <ietf-pkix@imc.org>; Thu, 23 Oct 2008 07:20:42 -0700 (MST) (envelope-from housley@vigilsec.com)
Message-Id: <200810231420.m9NEKWMC012409@balder-227.proper.com>
Received: (qmail 8057 invoked by uid 0); 23 Oct 2008 14:20:28 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (96.255.145.18) by woodstock.binhost.com with SMTP; 23 Oct 2008 14:20:28 -0000
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 23 Oct 2008 10:20:20 -0400
To: Stefan Santesson <stefans@microsoft.com>
From: Russ Housley <housley@vigilsec.com>
Subject: RE: draft-turner-caclearanceconstraints-01.txt
Cc: ietf-pkix@imc.org
In-Reply-To: <9F11911AED01D24BAA1C2355723C3D3218DDC3E0B3@EA-EXMSG-C332.e urope.corp.microsoft.com>
References: <p0624051bc5098b483ca0@[128.89.89.71]> <9F11911AED01D24BAA1C2355723C3D3218DDA55C66@EA-EXMSG-C332.europe.corp.microsoft.com> <FAD1CF17F2A45B43ADE04E140BA83D487A42B0@scygexch1.cygnacom.com> <48F35523.7000409@mitre.org> <FAD1CF17F2A45B43ADE04E140BA83D487A42FD@scygexch1.cygnacom.com> <D1165D0004A74F2EB89FD9FFC0606D31@Wylie> <9F11911AED01D24BAA1C2355723C3D3218DDC3E0B3@EA-EXMSG-C332.europe.corp.microsoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>

Stefan:

Where does the document say anything about mapping between security policies?

Russ

At 10:40 AM 10/22/2008, Stefan Santesson wrote:

>The major problem I have is that there is no set logic for the 
>constraints processing.
>
>I have been told that there are current implementations of this and 
>that this fact itself should prove that it is implementable.
>It is however my strong guess that current implementations work only 
>because they assume no difference in calculating intersections of 
>SecurityCategories for different known PolicyIDs.
>
>The problem comes when someone introduce a PolicyID which defines a 
>different intersection logic or order of classes.
>The only way I can accept that Policy ID is to write new code.
>
>There is a huge difference between allowing inclusion of different 
>policy OIDs, than to allow then to define individual path processing logic.
>
>Just imagine if every certificate policy OID was allowed to specify 
>individual mapping logic (Like policy A is equal to policy B,C and 
>D), and then expect the path processing code to learn the mapping 
>logic for each and every Policy OID.
>
>I don't think anyone would consider that a good architecture and 
>protocol design to standardize.
>But as far as I read it, this is precisely what the current CA 
>clearance constraints proposal wants us to do.
>
>
>
>
>Stefan Santesson
>Senior Program Manager
>Windows Security, Standards
>
> > -----Original Message-----
> > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > pkix@mail.imc.org] On Behalf Of Turner, Sean P.
> > Sent: den 14 oktober 2008 14:59
> > To: 'Santosh Chokhani'; 'Timothy J. Miller'; 'Carl Wallace'
> > Cc: ietf-pkix@imc.org
> > Subject: RE: draft-turner-caclearanceconstraints-01.txt
> >
> >
> >
> > I just wanted to add that the ID does not address relationships between
> > security policies.  It only addresses whether the EE's asserted
> > clearance is
> > within the issuer's allowed clearance set.
> >
> > spt
> >
> > -----Original Message-----
> > From: owner-ietf-pkix@mail.imc.org
> > [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Santosh Chokhani
> > Sent: Monday, October 13, 2008 10:33 AM
> > To: Timothy J. Miller; Carl Wallace
> > Cc: ietf-pkix@imc.org
> > Subject: RE: draft-turner-caclearanceconstraints-01.txt
> >
> >
> > Differences in various policies are articulated using the
> > security policy OID in the clearance structure that has been
> > accepted by the Internet Standards Community.
> >
> > In addition, clearance is a well defined mathematical concept
> > and formalized using lattice structure.  Within a security
> > policy, Clearance consists of a hierarchical sensitivity level
> > and non-hierarchical category set.  Two clearances within a
> > security can be ordered or can be incomparable based on simple
> > and well-defines mathematical rules.
> >
> > People in other parts of IETF are using these concepts to label
> > the data and make information flow decisions.
> >
> > Some pioneering work has been done in the technical community
> > (albeit not exposed to the IETF) in the area of comparing
> > clearances of two security policies.
> >
> > -----Original Message-----
> > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-
> > pkix@mail.imc.org]
> > On Behalf Of Timothy J. Miller
> > Sent: Monday, October 13, 2008 10:03 AM
> > To: Carl Wallace
> > Cc: ietf-pkix@imc.org
> > Subject: Re: draft-turner-caclearanceconstraints-01.txt
> >
> > Carl Wallace wrote:
> > > I vote yes to adopting this as a PKIX work item.  Specification
> > details
> > > can be resolved after the draft is accepted as a working group draft.
> >
> > Can we even say for certain that clearance is a consistent
> > enough concept within and across jurisdictions to enable a
> > single logic for constraint processing?  I'd argue not.
> >
> > E.g., RFC3281 talks about "the" basic clearance hierarchy, which
> > doesn't
> >
> > even exist.  What's the relationship between NATO CONFIDENTIAL
> > and US UNCLASSIFIED CONTROLLED INFORMATION?  How about US UCI
> > and US FOR OFFICIAL USE ONLY?  US SECRET/NOFOREIGN?  US TS/SCI
> > and TS/SAP?  And that's without even getting into the obscure
> > corners of the US alone.
> >
> > What I'm trying to say is that classification is *not* a strict
> > hierarchy.  It's semi-structured.  We have trouble enough
> > figuring this stuff out in the real world without having to
> > write code for it.  :)
> >
> > Presuming I have a vote, I vote no.
> >
> > -- Tim
> >

v2.23.0 | Report a Bug | By Email