Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)

Nicolas Williams <> Mon, 06 April 2009 18:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 74D9F3A67A7; Mon, 6 Apr 2009 11:49:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.805
X-Spam-Status: No, score=-5.805 tagged_above=-999 required=5 tests=[AWL=0.241, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8wnAavvQYN-x; Mon, 6 Apr 2009 11:49:17 -0700 (PDT)
Received: from (brmea-mail-4.Sun.COM []) by (Postfix) with ESMTP id 95DF828C2D7; Mon, 6 Apr 2009 11:49:17 -0700 (PDT)
Received: from ([]) by (8.13.6+Sun/8.12.9) with ESMTP id n36IoJZQ022450; Mon, 6 Apr 2009 18:50:19 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM []) by (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n36IoJXL050781; Mon, 6 Apr 2009 12:50:19 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost []) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n36IArHa004772; Mon, 6 Apr 2009 13:10:53 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n36IAra4004771; Mon, 6 Apr 2009 13:10:53 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to using -f
Date: Mon, 06 Apr 2009 13:10:53 -0500
From: Nicolas Williams <>
To: Russ Housley <>
Message-ID: <20090406181052.GF1500@Sun.COM>
References: <20090402154402.GM1500@Sun.COM> <> <> <> <> <> <> <20090406151606.GQ1500@Sun.COM> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.7i
Cc:,, Kurt Zeilenga <>,,, Santosh Chokhani <>
Subject: Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 06 Apr 2009 18:49:18 -0000

On Mon, Apr 06, 2009 at 01:50:32PM -0400, Russ Housley wrote:
> >On Mon, Apr 06, 2009 at 07:03:32AM -0400, Santosh Chokhani wrote:
> >> I view SPIF as performing the following functions: converting machine to
> >> human representation and vice versa; establishing equivalency between
> >> two labeling policies, and defining which labels with the lattice are
> >> valid and which are invalid.
> >
> >If I understand Russ' comment correctly the difficulty with SPIF lies in
> >the label equivalency concept.  I think there's a better solution for
> >dealing with the idea that parts of a policy are classified differently
> >than others.
> No.  They are two separate concerns.
> Mapping labels between two different policies.  Hopefully this can be 
> avoided altogether in the NFS context.

There should be no impact from this on NFS.  If a server is able to map
some labels between multiple distinct DOIs, so much the better for it,
but that would be an implementation detail.

Making it possible to express label equivalencies is not an
implementation detail.  But it's also not a detail we should care about
in the context of NFSv4, whereas security policy agreement _is_
something that we should care about in the context of NFSv4.

> Some label values are not releasable to clients that do not have 
> access to data associated with that label.  This one is a real-world 
> problem, and it leads to different clients having different subsets 
> of the SPIF if this community that is being supported has this 
> requirement in their policy.

Right, that's what I meant, but I had misunderstood "label equivalency"
as being related (d'oh).  This is a problem that we must deal with to
the extent that it impacts how a client and server determine that they
agree on a common security policy.