Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)

Russ Housley <housley@vigilsec.com> Mon, 06 April 2009 18:33 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1FAFC28C16F; Mon, 6 Apr 2009 11:33:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.393
X-Spam-Level:
X-Spam-Status: No, score=-102.393 tagged_above=-999 required=5 tests=[AWL=0.206, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vkdTtSiChka2; Mon, 6 Apr 2009 11:33:45 -0700 (PDT)
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by core3.amsl.com (Postfix) with ESMTP id 5730528C177; Mon, 6 Apr 2009 11:33:45 -0700 (PDT)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id 5645A9A471B; Mon, 6 Apr 2009 14:04:26 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id 7Guj3qYdruEZ; Mon, 6 Apr 2009 14:04:07 -0400 (EDT)
Received: from THINKPADR52.vigilsec.com (pool-71-191-197-15.washdc.fios.verizon.net [71.191.197.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id BA7AC9A4749; Mon, 6 Apr 2009 14:04:24 -0400 (EDT)
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 06 Apr 2009 13:50:32 -0400
To: Nicolas Williams <Nicolas.Williams@sun.com>, Santosh Chokhani <SChokhani@cygnacom.com>
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <20090406151606.GQ1500@Sun.COM>
References: <20090402154402.GM1500@Sun.COM> <FAD1CF17F2A45B43ADE04E140BA83D48A9FF82@scygexch1.cygnacom.com> <20090403164522.DEA9A9A4739@odin.smetech.net> <9C2457A4-328A-4A68-A9D2-6E4B5544078D@Isode.com> <FAD1CF17F2A45B43ADE04E140BA83D48A9FFE0@scygexch1.cygnacom.com> <B8FB99E8-17AA-4D4B-A309-8AF79838A304@Isode.com> <FAD1CF17F2A45B43ADE04E140BA83D48A9FFE9@scygexch1.cygnacom.com> <20090406151606.GQ1500@Sun.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <20090406180424.BA7AC9A4749@odin.smetech.net>
Cc: saag@ietf.org, labeled-nfs@linux-nfs.org, Kurt Zeilenga <Kurt.Zeilenga@Isode.com>, nfs-discuss@opensolaris.org, nfsv4@ietf.org
Subject: Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2009 18:33:52 -0000

Nico:

>On Mon, Apr 06, 2009 at 07:03:32AM -0400, Santosh Chokhani wrote:
> > I view SPIF as performing the following functions: converting machine to
> > human representation and vice versa; establishing equivalency between
> > two labeling policies, and defining which labels with the lattice are
> > valid and which are invalid.
>
>If I understand Russ' comment correctly the difficulty with SPIF lies in
>the label equivalency concept.  I think there's a better solution for
>dealing with the idea that parts of a policy are classified differently
>than others.

No.  They are two separate concerns.

Mapping labels between two different policies.  Hopefully this can be 
avoided altogether in the NFS context.

Some label values are not releasable to clients that do not have 
access to data associated with that label.  This one is a real-world 
problem, and it leads to different clients having different subsets 
of the SPIF if this community that is being supported has this 
requirement in their policy.

Russ