Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)

Kurt Zeilenga <> Sat, 04 April 2009 22:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 79D713A6903; Sat, 4 Apr 2009 15:59:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.984
X-Spam-Status: No, score=-2.984 tagged_above=-999 required=5 tests=[AWL=-0.385, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CaTHAPXIRgHA; Sat, 4 Apr 2009 15:59:38 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A81D33A6891; Sat, 4 Apr 2009 15:59:38 -0700 (PDT)
Received: from [] ((unknown) []) by (submission channel) via TCP with ESMTPSA id <>; Sun, 5 Apr 2009 00:00:41 +0100
X-SMTP-Protocol-Errors: NORDNS
Message-Id: <>
From: Kurt Zeilenga <>
To: Santosh Chokhani <>
In-Reply-To: <>
Date: Sat, 4 Apr 2009 16:00:36 -0700
References: <20090402154402.GM1500@Sun.COM> <> <> <> <>
X-Mailer: Apple Mail (2.930.3)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Subject: Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 04 Apr 2009 22:59:39 -0000

On Apr 4, 2009, at 3:46 PM, Santosh Chokhani wrote:
> On the issue of authorization to "label" an object, I assume you are  
> not
> saying that write authorizations need to be separate from read
> authorization.

No, I am saying the lack of separate "to read"/"to label"  
authorizations is a significant limitation of the SDN SPIF model.  For  
instance, one might not require any particular clearance to read  
UNCLASSIFIED//RELEASEABLE-TO-PUBLIC under a particular policy, but  
under that policy one might be required a specific clearance to create  
an object with a UNCLASSIFIED//RELEASEABLE-TO-PUBLIC label.  (There  
are a number of real world national/international policies that have  
asymmetric "to read"/"to label" handling of security labels.)  The SDN  
SPIF model, unfortunately, assumes that authorization to read implies  
authorization to label, so one cannot represent such a policy in a SPIF.

-- Kurt