Transcribed slides from TSIG plenary

Mark Christenson <> Mon, 28 September 1992 17:44 UTC

Received: from NRI.RESTON.VA.US by IETF.NRI.Reston.VA.US id aa15362; 28 Sep 92 13:44 EDT
Received: from by NRI.Reston.VA.US id aa22135; 28 Sep 92 13:49 EDT
Received: by (5.65a/WDL-3.12) id AA15066; Mon, 28 Sep 92 09:58:19 -0700
Received: from by (5.65a/WDL-3.12) id AA15060; Mon, 28 Sep 92 09:58:16 -0700
Received: from by (4.1/CRI-MX 2.2) id AA07490; Mon, 28 Sep 92 11:57:10 CDT
Received: from localhost by id AA04188; 4.1/CRI-5.6; Mon, 28 Sep 92 11:57:09 CDT
Message-Id: <>
Subject: Transcribed slides from TSIG plenary
Date: Mon, 28 Sep 92 11:57:09 -0500
From: Mark Christenson <>

>>> Submissions to the tsig list:
>>> Additions/deletions/questions:
>>> Archive Server:
			   Trusted Sessions

Future work:

	Help other groups use TSESS

	Move existing applictions to TSESS (rsh, telnet, SNMP, ...)
	Application development guide?

	Understanding and disseminating privilege mapping.

	Token mapping service

	Multicast issues:  token authentication

	TSIG security architecture framework

	TSESS MIBs - Admin input

	DNSIX 4.0 profile


Trusted Sessions and IETF:

	Trusted Sessions will not pursue becoming an IETF working group.

	Would like official TSIG registry location in which to place
	finalized documents.

	Interested in placing final documents into IETF as Prototype RFC's,
	but want to know the process before committing.

Research Plan:

	Merge DNSIX 3.0 and CMDS with TREES to obtain DNSIX 4.0

DNSIX 4.0 Possibilities:

	From v2.1 we get:
		- Sensitivity labeling in the IP header
		- Session management
		- Audit formats

	v3.0 adds:
		- Token mapping
		- Attribute modulation
		- API

	v4.0 research topics:
		- XTI based API
		- System & user authentication
		- Privacy and/or integrity options on labels and data
		- Better label range controls
		- Broadcast/multicast support on tokens
		- Authenticated token resolution
		- CIPSO migration
		- MIB definitions

			   Trusted Admin

AITP/SMP Controversy -- Near Term

	* Offer AITP spec as a way to minimally address audit data transfer
	for a particular set of customers (the DODIIS community)

	* This would be a TSIG spec

	* Meets immediate needs

Longer term - audit data transfer

	* SNMP2 seems to take care of shortcomings with SNMP for audit
	data transfer	

IETF TSADMIN Relationship:

	* TSADMIN - spin off working groups as issues become more focussed
		- Audit MIB(s) - Host MIB - USER MIB

	* TSADMIN - build & extend work that is already being done
		- 1003.6 POSIX Current Drafts for:
			- User context
			- auditing
		- Host MIB in RFC
		- ISO Docs 8824 (ASN.1) and 8825
		- Simple Book and Open Book by Marshall Rose
		- RFC 1212 - Reference for a Concise MIB
		- RFC 1351 - SNMP Administrative Model
		- RFC 1352 - SNMP Security Protocols
		- RFC 1353 - Definitions for Managed Objects for SNMP
		- RFC 1155 - SNMP over TCP (obsoletes RFC 1065)


	* Posix 1003.6 - Wally Ramsey and Lee Benzinger

	* Host MIB - Jeff Edelheit

	* Simple Book - All

	* ASN.1 - Kent Landfield and Jeff Walker

	* Docs - Joe Thompson, Vern McGeorge, Jim Hurley, Lee Benzinger and ??

	* MIB Compiler - Kent Landfield

	* Document AITP/SNMP2 concerns - Nina Lewis

Issue: TSADMIN needs vendor participation
		Privileges sets and semantics are different for different CMWs

	Request: Vendor documentation for system admin TFM docs

Issue: TSADMIN needs customer participation
	DNSIX 3.0 updates

Talk Next Time:

	Jeff Walker - "A Normalized Format for Audit Data"


1. Interoperability test
	Cray, DEC, HP, SecureWare, SFI, AT&T
	Results: Fantastic!
	a. All systems communicated at minimum req. level

2. TSIG CIPSO has net its goals and no longer needs to meet
	a. standard process will continue with the
		"IETF" CIPSO working group
	b. we will publish a final spec by 12/1/92 as:
		- proposed std RFC
		- Prototype RFC
		- TSIG doc (if there is a registration facility)

3. vote on 2.2 -- passed

(Now, as an) IETF CIPSO working group

1. implement IETF requirements to make proposed standard -- passed

2. meet DoD requests
	Moving level to header has no technical merit and thus we can
	not support this request.  9/0

3. IETF requirements for CIPSO
	a. better defined input/oupt handling rules
	b. require registration of DOI specific tag types - policy, format,
	 handling procedures
	c. consider DoD needs
	d. work on MIB
4. DoD requirements for CIPSO
	a. move sensitivity level to CIPSO header
	b. Add a release marking tag type
	c. Add processing procedure for Input/Output of	tags
		1 - is it technically sound to move?
			no - 5, yes - 0
		2 - will we implement it anyway?
			no - 5, yes - 0