Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)

"Santosh Chokhani" <SChokhani@cygnacom.com> Sun, 05 April 2009 12:00 UTC

Return-Path: <SChokhani@cygnacom.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F178E3A69D4 for <saag@core3.amsl.com>; Sun, 5 Apr 2009 05:00:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.403
X-Spam-Level:
X-Spam-Status: No, score=-1.403 tagged_above=-999 required=5 tests=[AWL=0.066, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dNe1CYBhiS6P for <saag@core3.amsl.com>; Sun, 5 Apr 2009 05:00:06 -0700 (PDT)
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by core3.amsl.com (Postfix) with SMTP id D93833A6A24 for <saag@ietf.org>; Sun, 5 Apr 2009 05:00:05 -0700 (PDT)
Received: (qmail 1630 invoked from network); 5 Apr 2009 11:59:58 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 5 Apr 2009 11:59:58 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Sun, 5 Apr 2009 08:01:06 -0400
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D48A9FFE3@scygexch1.cygnacom.com>
In-Reply-To: <49D80922.9050700@ieca.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
Thread-Index: Acm1jcbIy9cgJJFWTUG5/g5z6pt3owAWCHaw
References: <20090402154402.GM1500@Sun.COM> <FAD1CF17F2A45B43ADE04E140BA83D48A9FF82@scygexch1.cygnacom.com> <20090403154253.GZ1500@Sun.COM> <FAD1CF17F2A45B43ADE04E140BA83D48A9FF9E@scygexch1.cygnacom.com> <20090403173655.GK1500@Sun.COM> <FAD1CF17F2A45B43ADE04E140BA83D48A9FFAF@scygexch1.cygnacom.com> <20090403191838.GM1500@Sun.COM> <FAD1CF17F2A45B43ADE04E140BA83D48A9FFBE@scygexch1.cygnacom.com> <20090403195704.GT1500@Sun.COM> <49D80922.9050700@ieca.com>
From: "Santosh Chokhani" <SChokhani@cygnacom.com>
To: "Sean Turner" <turners@ieca.com>, "Nicolas Williams" <Nicolas.Williams@sun.com>
Cc: labeled-nfs@linux-nfs.org, nfs-discuss@opensolaris.org, saag@ietf.org, selinux@tycho.nsa.gov, nfsv4@ietf.org
Subject: Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Apr 2009 12:00:07 -0000

Nico,

The link provided by Sean should help you quite a bit.

The main module leaves up to you to define the semantics of categories
and their interactions.  (May be this is consistent with what Russ is
saying about categories adding excessive complexity)

I did not look at other modules to see if they define categories any
further. 

> -----Original Message-----
> From: Sean Turner [mailto:turners@ieca.com] 
> Sent: Saturday, April 04, 2009 9:28 PM
> To: Nicolas Williams
> Cc: Santosh Chokhani; labeled-nfs@linux-nfs.org; 
> selinux@tycho.nsa.gov; saag@ietf.org; 
> nfs-discuss@opensolaris.org; nfsv4@ietf.org
> Subject: Re: [saag] Common labeled security (comment on 
> CALIPSO, labeled NFSv4)
> 
> Nico,
> 
> I usually try to find the corresponding ITU spec because I 
> think ITU gives out all of it's ASN.1 modules freely?  
> Anyway, here's a link to the ITU-T X.841 Spec:
> http://www.itu.int/ITU-T/asn1/database/itu-t/x/x841/2000/index.html
> 
> The one thing that's missing from the module is definitions 
> for security categories.  Some suggested categories were 
> defined in Annex B, but it's an informative annex so there's 
> no ASN.1 freely available (they wouldn't allow them in the 
> normative text/module).  Those categories are based on FIPS 
> 188 (the syntax is not the same).
> 
> Note that some of the syntax for labels has made it's way to 
> some IDs/RFCs notably RFC 2634.
> 
> spt
> 
> Nicolas Williams wrote:
> > On Fri, Apr 03, 2009 at 03:51:46PM -0400, Santosh Chokhani wrote:
> >> NSA document on SPIF also had ASN.1 module for SPIF.
> > 
> > Ah, good!  A link would be great.
> > 
> >> May be you can use the applicable concepts to get a head 
> start on XML. 
> > 
> > If the ASN.1 module can be obtained freely then the XML follows 
> > trivially (and, as I said, has already been done).
> > _______________________________________________
> > saag mailing list
> > saag@ietf.org
> > https://www.ietf.org/mailman/listinfo/saag
> > 
>