Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
Russ Housley <housley@vigilsec.com> Mon, 06 April 2009 18:33 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1FAFC28C16F; Mon, 6 Apr 2009 11:33:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.393
X-Spam-Level:
X-Spam-Status: No, score=-102.393 tagged_above=-999 required=5 tests=[AWL=0.206, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vkdTtSiChka2; Mon, 6 Apr 2009 11:33:45 -0700 (PDT)
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by core3.amsl.com (Postfix) with ESMTP id 5730528C177; Mon, 6 Apr 2009 11:33:45 -0700 (PDT)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id 5645A9A471B; Mon, 6 Apr 2009 14:04:26 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id 7Guj3qYdruEZ; Mon, 6 Apr 2009 14:04:07 -0400 (EDT)
Received: from THINKPADR52.vigilsec.com (pool-71-191-197-15.washdc.fios.verizon.net [71.191.197.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id BA7AC9A4749; Mon, 6 Apr 2009 14:04:24 -0400 (EDT)
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 06 Apr 2009 13:50:32 -0400
To: Nicolas Williams <Nicolas.Williams@sun.com>, Santosh Chokhani <SChokhani@cygnacom.com>
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <20090406151606.GQ1500@Sun.COM>
References: <20090402154402.GM1500@Sun.COM> <FAD1CF17F2A45B43ADE04E140BA83D48A9FF82@scygexch1.cygnacom.com> <20090403164522.DEA9A9A4739@odin.smetech.net> <9C2457A4-328A-4A68-A9D2-6E4B5544078D@Isode.com> <FAD1CF17F2A45B43ADE04E140BA83D48A9FFE0@scygexch1.cygnacom.com> <B8FB99E8-17AA-4D4B-A309-8AF79838A304@Isode.com> <FAD1CF17F2A45B43ADE04E140BA83D48A9FFE9@scygexch1.cygnacom.com> <20090406151606.GQ1500@Sun.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Message-Id: <20090406180424.BA7AC9A4749@odin.smetech.net>
Cc: saag@ietf.org, labeled-nfs@linux-nfs.org, Kurt Zeilenga <Kurt.Zeilenga@Isode.com>, nfs-discuss@opensolaris.org, nfsv4@ietf.org
Subject: Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2009 18:33:52 -0000
Nico: >On Mon, Apr 06, 2009 at 07:03:32AM -0400, Santosh Chokhani wrote: > > I view SPIF as performing the following functions: converting machine to > > human representation and vice versa; establishing equivalency between > > two labeling policies, and defining which labels with the lattice are > > valid and which are invalid. > >If I understand Russ' comment correctly the difficulty with SPIF lies in >the label equivalency concept. I think there's a better solution for >dealing with the idea that parts of a policy are classified differently >than others. No. They are two separate concerns. Mapping labels between two different policies. Hopefully this can be avoided altogether in the NFS context. Some label values are not releasable to clients that do not have access to data associated with that label. This one is a real-world problem, and it leads to different clients having different subsets of the SPIF if this community that is being supported has this requirement in their policy. Russ
- [saag] Common labeled security (comment on CALIPS… Nicolas Williams
- Re: [saag] Common labeled security (comment on CA… Santosh Chokhani
- Re: [saag] Common labeled security (comment on CA… Nicolas Williams
- Re: [saag] Common labeled security (comment on CA… Shawn Campbell
- Re: [saag] Common labeled security (comment on CA… Russ Housley
- Re: [saag] Common labeled security (comment on CA… Nicolas Williams
- Re: [saag] Common labeled security (comment on CA… Santosh Chokhani
- Re: [saag] Common labeled security (comment on CA… Santosh Chokhani
- Re: [saag] Common labeled security (comment on CA… Santosh Chokhani
- Re: [saag] Common labeled security (comment on CA… Santosh Chokhani
- Re: [saag] Common labeled security (comment on CA… Nicolas Williams
- Re: [saag] Common labeled security (comment on CA… Santosh Chokhani
- Re: [saag] Common labeled security (comment on CA… Nicolas Williams
- Re: [saag] Common labeled security (comment on CA… Nicolas Williams
- Re: [saag] Common labeled security (comment on CA… Kurt Zeilenga
- Re: [saag] Common labeled security (comment on CA… Russ Housley
- Re: [saag] Common labeled security (comment on CA… Santosh Chokhani
- Re: [saag] Common labeled security (comment on CA… Santosh Chokhani
- Re: [saag] Common labeled security (comment on CA… Kurt Zeilenga
- Re: [saag] Common labeled security (comment on CA… Sean Turner
- Re: [saag] Common labeled security (comment on CA… Santosh Chokhani
- Re: [saag] Common labeled security (comment on CA… Santosh Chokhani
- Re: [saag] Common labeled security (comment on CA… Santosh Chokhani
- Re: [saag] Common labeled security (comment on CA… Nicolas Williams
- Re: [saag] Common labeled security (comment on CA… Nicolas Williams
- Re: [saag] Common labeled security (comment on CA… Nicolas Williams
- Re: [saag] Common labeled security (comment on CA… Russ Housley
- Re: [saag] Common labeled security (comment on CA… Nicolas Williams
- Re: [saag] [Labeled-nfs] Common labeled security … Santosh Chokhani
- Re: [saag] [Labeled-nfs] Common labeled security … Nicolas Williams
- Re: [saag] [Labeled-nfs] Common labeled security … Casey Schaufler
- Re: [saag] [Labeled-nfs] Common labeled security … Casey Schaufler
- Re: [saag] [Labeled-nfs] Common labeled security … Nicolas Williams
- Re: [saag] [nfsv4] [Labeled-nfs] Common labeled s… James Morris
- Re: [saag] [Labeled-nfs] Common labeled security … Santosh Chokhani
- Re: [saag] [Labeled-nfs] Common labeled security … Casey Schaufler
- Re: [saag] [nfsv4] [Labeled-nfs] Common labeled s… Nicolas Williams
- Re: [saag] [Labeled-nfs] Common labeled security … Santosh Chokhani
- Re: [saag] [Labeled-nfs] Common labeled security … Nicolas Williams
- Re: [saag] [Labeled-nfs] Common labeled security … Jarrett Lu
- Re: [saag] [Labeled-nfs] Common labeled security … James Morris
- Re: [saag] [Labeled-nfs] Common labeled security … Nicolas Williams
- Re: [saag] [Labeled-nfs] Common labeled security … Casey Schaufler