Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)

Kurt Zeilenga <> Sat, 04 April 2009 18:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8B4153A685B; Sat, 4 Apr 2009 11:43:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.08
X-Spam-Status: No, score=-3.08 tagged_above=-999 required=5 tests=[AWL=-0.481, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hUbyNVrJ9peS; Sat, 4 Apr 2009 11:43:27 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 655733A6891; Sat, 4 Apr 2009 11:43:27 -0700 (PDT)
Received: from [] ((unknown) []) by (submission channel) via TCP with ESMTPSA id <>; Sat, 4 Apr 2009 19:44:30 +0100
X-SMTP-Protocol-Errors: NORDNS
Message-Id: <>
From: Kurt Zeilenga <>
To: Russ Housley <>
In-Reply-To: <>
Date: Sat, 4 Apr 2009 11:44:24 -0700
References: <20090402154402.GM1500@Sun.COM> <> <>
X-Mailer: Apple Mail (2.930.3)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Cc:,,,,, Santosh Chokhani <>
Subject: Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 04 Apr 2009 18:43:28 -0000

On Apr 3, 2009, at 9:44 AM, Russ Housley wrote:

> I really do not have time to write about all of my concerns.

Understand.  It might be a long write-up!

> However, once you get beyond the basic classifications, the SPIF  
> model breaks.

I would say that the SPIF model discussed in SDN 801 has some  
significant limitations.  Dealing with the "black project" problem you  
allude to is certainly one of them.  Another is that the SPIF only  
describes authorization to access (e.g., read) an object (given the  
policy, the object's label, and the accessor's clearance).  It doesn't  
describes what labels an entity is allowed to use in labeling an  
object.  While one might assume that "right to read" implies a "right  
to label", this assumption is only useful in simple environments.  It  
cannot handle various national or international policies.

I do think there is a need to develop a SPIF replacement that  
addresses various limitations, and would be willing to provide input  
in such an effort.  However, it needs to be driven by key stakeholders.

Until there is a suitable SPIF replacement for labeling at the  
application level (e.g., Directory, email, XMPP), I'll continue to  
implement SPIF-based solutions as simply there simply ain't anything  
better policy-neutral solution (that I'm aware of)... and that's what  
my customers are asking for (as they find it useful in their use cases).

-- Kurt