RE: draft-turner-caclearanceconstraints-01.txt
"Santosh Chokhani" <SChokhani@cygnacom.com> Wed, 29 October 2008 13:26 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 121843A6A43 for <ietfarch-pkix-archive@core3.amsl.com>; Wed, 29 Oct 2008 06:26:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.063
X-Spam-Level:
X-Spam-Status: No, score=-1.063 tagged_above=-999 required=5 tests=[AWL=0.406, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DaJko+wnclWd for <ietfarch-pkix-archive@core3.amsl.com>; Wed, 29 Oct 2008 06:26:01 -0700 (PDT)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 88A093A690E for <pkix-archive@ietf.org>; Wed, 29 Oct 2008 06:26:00 -0700 (PDT)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m9TCseT8046786 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Oct 2008 05:54:40 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m9TCse9b046785; Wed, 29 Oct 2008 05:54:40 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by balder-227.proper.com (8.14.2/8.14.2) with SMTP id m9TCsTL6046743 for <ietf-pkix@imc.org>; Wed, 29 Oct 2008 05:54:39 -0700 (MST) (envelope-from SChokhani@cygnacom.com)
Received: (qmail 696 invoked from network); 29 Oct 2008 12:40:31 -0000
Received: from SChokhani@cygnacom.com by scygmxsecs1.cygnacom.com with EntrustECS-Server-7.4; 29 Oct 2008 12:40:31 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 29 Oct 2008 12:40:31 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: draft-turner-caclearanceconstraints-01.txt
Date: Wed, 29 Oct 2008 08:54:13 -0400
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D48849DB7@scygexch1.cygnacom.com>
In-Reply-To: <OFCEC5B850.4DC7EA3F-ON852574EF.007144F5-852574F1.0001567B@us.ibm.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: draft-turner-caclearanceconstraints-01.txt
Thread-Index: Ack5W1gUCShHB1FnSMKdxdH78s+kbAAadCuA
References: <9F11911AED01D24BAA1C2355723C3D32195A6F405B@EA-EXMSG-C332.europe.corp.microsoft.com> <OFCEC5B850.4DC7EA3F-ON852574EF.007144F5-852574F1.0001567B@us.ibm.com>
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: ietf-pkix@imc.org
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Tom, Thanks. A, B, and C is what I have planned for. D is the area, I need to decide what types of values to support. Some of the times, values may be bit string or enumerated integers and hence binary comparison may not be valid. -----Original Message----- From: Tom Gindin [mailto:tgindin@us.ibm.com] Sent: Tuesday, October 28, 2008 8:15 PM To: Stefan Santesson Cc: ietf-pkix@imc.org; Santosh Chokhani Subject: RE: draft-turner-caclearanceconstraints-01.txt Stefan, Santosh: I would like to put forward a set of processing rules which might actually be implementable for the "intersection" problem here: A) The intersection of two SecurityCategory entries with different SecurityCategory.Type is empty B) The intersection of two SecurityCategory entries with the same Type and Value is an entry with that Type and Value C) Any relying party unfamiliar with a given SecurityCategory.Type SHOULD treat the intersection of two SecurityCategory entries with that Type and different Value as being empty D) A relying party familiar with a given SecurityCategory.Type MAY process the intersection of two SecurityCategory entries with that Type and different Value according to customized rules for that type One customized type which I would suggest is "prefixable OID". The intersection of two values of this type is the longer of the two if the shorter one is its leading binary substring, and is empty otherwise. Tom Gindin Stefan Santesson <stefans@microsoft.com> Sent by: owner-ietf-pkix@mail.imc.org 10/24/2008 10:00 PM To Santosh Chokhani <SChokhani@cygnacom.com>, "ietf-pkix@imc.org" <ietf-pkix@imc.org> cc Subject RE: draft-turner-caclearanceconstraints-01.txt Santosh, What you suggest comes closer to the exercise I think need to be done before we decide what to do with this. To standardize constraints with undefined processing rules feels to me like wanting to have one's cake and eat it too. I think it is absolutely necessary to limit the logic so that an implementation can process any legal data within it. Otherwise the basic idea with having a standard seems a bit lost. Now, processing all data does not mean that you know the meaning of all data, but at least you should be able to process it and hand it over to the next layer. I would also like to have some rationales clarified, but I will ask for that in a separate thread. Stefan Santesson Senior Program Manager Windows Security, Standards > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf- > pkix@mail.imc.org] On Behalf Of Santosh Chokhani > Sent: den 24 oktober 2008 15:52 > To: ietf-pkix@imc.org > Subject: RE: draft-turner-caclearanceconstraints-01.txt > > > Stefan, > > As stated in other strands of this thread, this will be handled by > enhancing the I-D for a specific set of syntaxes of security categories > or by deprecating the security categories from the clearance > constraints. The latter can obviate the need for taking the > intersection of security categories. > > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf- > pkix@mail.imc.org] > On Behalf Of Stefan Santesson > Sent: Friday, October 24, 2008 9:27 AM > To: Timothy J. Miller; Russ Housley > Cc: ietf-pkix@imc.org > Subject: RE: draft-turner-caclearanceconstraints-01.txt > > > Thanks for putting such good words to it :) > > Yes, that sounds very much like what I meant. > > Stefan Santesson > Senior Program Manager > Windows Security, Standards > > > > -----Original Message----- > > From: Timothy J. Miller [mailto:tmiller@mitre.org] > > Sent: den 24 oktober 2008 15:23 > > To: Russ Housley > > Cc: Stefan Santesson; ietf-pkix@imc.org > > Subject: Re: draft-turner-caclearanceconstraints-01.txt > > > > Russ Housley wrote: > > > > > Where does the document say anything about mapping between security > > > policies? > > > > I don't think that's what he means. I think what he's driving at is: > > how does a single vendor writing a single chaining library do it such > > that the code works under any arbitrary intersection logic the end > user > > may specify? > > > > Did I get that right, Stefan? > > > > -- Tim >
- draft-turner-caclearanceconstraints-01.txt Stephen Kent
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Reddy, Raksha Patel
- RE: draft-turner-caclearanceconstraints-01.txt Russ Housley
- Re: draft-turner-caclearanceconstraints-01.txt Kurt Zeilenga
- RE: draft-turner-caclearanceconstraints-01.txt Ashmore, Samuel R.
- Re: draft-turner-caclearanceconstraints-01.txt Stephen Farrell
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Denis Pinkas
- Re: draft-turner-caclearanceconstraints-01.txt Yoav Nir
- What are certificates fundamentally all about? [w… Stephen Wilson
- RE: draft-turner-caclearanceconstraints-01.txt Carl Wallace
- Re: What are certificates fundamentally all about… Timothy J. Miller
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: What are certificates fundamentally all about… Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: What are certificates fundamentally all about… Stephen Wilson
- Re: What are certificates fundamentally all about… Stephen Kent
- RE: draft-turner-caclearanceconstraints-01.txt Turner, Sean P.
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Russ Housley
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- Re: draft-turner-caclearanceconstraints-01.txt Timothy J. Miller
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Stefan Santesson
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin
- RE: draft-turner-caclearanceconstraints-01.txt Santosh Chokhani
- RE: draft-turner-caclearanceconstraints-01.txt Tom Gindin