Trusted Sessions Working Group Minutes 9/24/92

"Doug Barlow, ZSO; (DTN)548-8552" <> Mon, 28 September 1992 21:06 UTC

Received: from NRI.RESTON.VA.US by IETF.NRI.Reston.VA.US id aa17605; 28 Sep 92 17:06 EDT
Received: from by NRI.Reston.VA.US id aa26968; 28 Sep 92 17:10 EDT
Received: by (5.65a/WDL-3.12) id AA19056; Mon, 28 Sep 92 13:16:01 -0700
Received: from by (5.65a/WDL-3.12) id AA19050; Mon, 28 Sep 92 13:15:45 -0700
Received: by; id AA14968; Mon, 28 Sep 92 13:14:26 -0700
Message-Id: <>
Received: from decwet.enet; by decwrl.enet; Mon, 28 Sep 92 13:14:31 PDT
Date: Mon, 28 Sep 92 13:14:31 PDT
From: "Doug Barlow, ZSO; (DTN)548-8552" <>
Subject: Trusted Sessions Working Group Minutes 9/24/92

>>> Submissions to the tsig list:
>>> Additions/deletions/questions:
>>> Archive Server:
                    Minutes of the Trusted Sessions Working Group
                    September 22-24, 1992  Minneapolis, Minnesota

        Since the  appointed  chair,  Julie LeMoine  (Mitre),  was  unable  to
        attend,  Doug Barlow  (Digital)  acted  as  Chairperson  pro  tem.  In
        attendance at this meeting were the following:

                   Dick Newton         Harris CSD
                   Stan Wisseman       Oracle Corp
                   Paul Vazquez        DIA/DSDIA
                   John Adams          SecureWare
                   Jim Hurley          Sun Mirco Federal
                   Dan Vukelich        Mitre
                   Doug Barlow         Digital
                   Teodora Ngo         Sun Micro Federal
                   Narayan Makaram     Amdahl Corp
                   Bill Middlecamp     Cray
                   Joe Thompson        IBM Federal Systems Co

        The  minutes  from  the  last  meeting  were  reviewed  and  approved.
        Paul Vazquez  noted  that  several  DIA RFQ's have gone out specifying
        DNSIX V2.1, so that his comment at the last meeting, that  there  were
        no  V2.1  installed sites with which DNSIX V3.0 needed to be backwards
        compatible, was no longer true.  Hence the original  requirement  that
        DNSIX V3.0   be   backwards   compatible  with  DNSIX V2.1  remains  a

        We reviewed outstanding homework.  Bill Griffeth (USL)  had  completed
        the  requested edits to the Framework Document and submitted it to the
        TSIG archive.  John Adams had also completed the  requested  edits  to
        the  MaxSix Proposal for DNSIX Profile.  Julie LeMoine was not present
        to report on her progress with the  Auditable  Events  List  and  IETF
        working group draft charter.

        A homework item, a survey of privileges available on the known trusted
        system  platforms,  has  been  incomplete for several meetings, as the
        designated responsible individual has not been attending.  The purpose
        of  the homework item, to help clarify our understanding of how to map
        privilege sets between heterogeneous trusted  systems,  was  reviewed.
        The  group  felt  the work was important to continue, and Paul Vazquez
        and Stan Wisseman volunteered to do the work.   Paul  will  provide  a
        survey of CMW's, and Stan will survey non-CMW systems.

        It was noted that code used to be available from Mitre  that  provided
        the interpretations of the DNSIX encodings file.  Paul Vazquez pointed
        out that several holes had existed in that code, and that  it  was  no
        longer  being  distributed.   However,  the  DIA  had no objections to
        people who still had copies passing it along.  Paul  will  also  check
        into  whether  or  not  code updated for the DNSIX V2.1 encodings file
        will be made available.

        As an assignment from the opening TSIG plenary, the  Trusted  Sessions
        group discussed their plans for future IETF involvement.  Judging from
        the response to the presentation on trusted sessions given to the IETF
        Security  Area  Advisory  Group at the last joint meeting, the trusted
        sessions  group  felt  that  it  would  be  very   unlikely   that   a
        session-level  security  protocol  would fall within the IETF security
        architecture, and that even getting an IETF charter approved would  be
        difficult.    Since   the  purpose  of  TSIG  was  to  provide  simple
        interoperability, the group did not feel it necessary to push our work
        into the standards track at this time.  The group is interested in the
        new IETF Prototype RFC status for documents, and will  consider  going
        this  route  when  the  method  of  submitting  such a thing into IETF
        becomes clear.  The group also felt that it would be a good  idea  for
        future  documents to conform to the IETF RFC format (RFC 1111).  Also,
        the group supported the suggestion that TSIG  form  its  own  document
        registry  for  completed  working  group  documents.  This removed the
        outstanding homework assignment to Julie LeMoine to write a Draft IETF

        Dan Vukelich pointed out that the name of our working  group  (trusted
        SESSIONS) conjures up pictures of soaring OSI towers, and is likely to
        inflame IETF participants even before any content  is  presented.   He
        suggested a different approach, such as defining our work as a trusted
        application library  providing  secured  communication  services.   We
        decided  not to change our name within TSIG, but took his advice under
        consideration for when and if we release our work  as  IETF  Prototype

        Having finished the old business, TSWG enumerated the options for  new
        business,  and  prioritized  them.  The options, their priorities, and
        resulting discussions were as follows:

             1.  Help  other  groups  to  use   Trusted   Sessions   (priority
                 undecided).   While this sounded good, there was concern that
                 we'd decided not to pursue IETF membership, but at the  time,
                 every  other  TSIG working group except Trusted X Windows was
                 also an IETF working group.  It would be unlikely  that  they
                 would  be  able  to  depend  on a non-IETF protocol for their
                 operation.  We decided that a  discussion  with  the  Trusted
                 Admin group was in order.

             2.  Move existing applications such as rsh,  telnet,  etc.,  onto
                 trusted  sessions in such a way as to ensure interoperability
                 (priority undecided).  The possibility of looking at SNMP was
                 also  discussed.   The  group  suggested  that an Application
                 Developers'  Guide  be  a  part  of  any  TSIG   Architecture

             3.  Gain an understanding and solve  the  privilege  bit  mapping
                 issue  (high  priority).   Any  work  on  this depends on the
                 Privilege Mapping Survey, discussed above.  The POSIX.6  work
                 may make a good base for a minimal supported set.

             4.  Gain an understanding and solve the outstanding token mapping
                 issues (high priority).  The problems included adding support
                 for token multicast, and  authenticating  the  token  mapping
                 service.   The  group  felt  that  either moving to a central
                 token server, or else moving  to  sender-based  tokens  would
                 help  with  the  multicast issue.  However, it was noted that
                 trying to support both sender- and receiver- based tokens for
                 backwards compatibility made it difficult to resolve which of
                 the schemes was being used at the time, resulting in possible
                 token ambiguity.

             5.  Examine the issues  surrounding  multicast  (high  priority).
                 The  problems  with  this included token multicast, discussed
                 above, and also authentication multicast.  The  group  agreed
                 that they did not want to develop a new authentication scheme
                 that supported multicast.

             6.  Begin  work  on  the  TSIG  Architecture  Framework   (medium

             7.  Develop MIB definitions for the  trusted  sessions  protocols
                 (low  priority).   The group felt this was important, but had
                 no idea how to do it.  We decided that we would talk with the
                 Trusted Admin group about this as well.

             8.  Work on the DNSIX V4.0 Profile (high priority).  It was noted
                 that all the previous high priority items (numbers 3, 4, & 5)
                 fell under this topic.

        The following morning, the TSWG met jointly  with  the  Trusted  Admin
        working  group.   The  issues  we identified for discussion, and their
        outcome, are as follows:

             1.  TSWG needs help with our directions for what  to  manage  and
                 how   to   manage   it.   Management  includes  both  setting
                 operational parameters and  getting  operational  statistics,
                 simply  referred  to  as  `instrumentation'.   The  TAWG were
                 currently  investigating  SNMP  MIB  definitions  for  hosts,
                 users, and audit.  They will help us define MIBs for our work
                 if we can decide what we need managed.

             2.  The TSWG recognized that we were not the only group who would
                 have problems with privilege set mappings, and wanted to hear
                 the concerns the TAWG might have, and try and coordinate  our
                 work  to  ensure that multiple incompatible solutions did not
                 come out of TSIG.  TAWG agreed that it  was  a  problem,  but
                 TSWG had gotten further in understanding the problem.

             3.  What are TAWG's  needs  and  expectations  from  TSWG?   This
                 flowed  from the previous discussion, that common issues need
                 to be raised to the group.  It's OK for one group to work  on
                 a  solution,  but the other groups should be apprised through
                 the  plenary  of  the  activity  and  progress  in  order  to
                 coordinate TSIG-wide concerns.

        With that, the TSWG  settled  down  into  working  on  the  DNSIX V4.0
        Profile.  The list of identified issues to be solved was:

              o  Which authentication mechanism to use by default.
              o  Authenticating the token mapping.
              o  Multicast/Broadcast message issues (tokens, authentication).
              o  MIB definitions.
              o  Cross-DoI token resolution.

        The group then set out to identify a list of possible goals  in  order
        to  focus  the  work.   We  reviewed  previous and planned versions of
        DNSIX, and built on that.

        DNSIX V2.1 provides:

              o  Sensitivity Labeling in the IP header
              o  Session management
              o  Common audit formats

        DNSIX V3.0 adds:

              o  Token Mapping
              o  Attribute modulation
              o  Common API

        Possibilities for DNSIX V4.0:

              o  An XTI-based API
              o  System and User authentication
              o  Privacy and/or integrity options on labels and data
              o  Better label range controls
              o  Broadcast/Multicast support on tokens
              o  Authenticated token resolution
              o  CIPSO migration
              o  MIB definitions

        It was agreed that a simple approach would be to  take  the  attribute
        modulation  labels  used in DNSIX V3.0 and use them in the label field
        provided by TREES.  This would maintain  backwards  compatibility  for
        labels,  and  provide the system and user authentication.  TSWG didn't
        mind writing up a simple profile describing how to combine  work  from
        other   documents,   but  balked  at  writing  the  entire  DNSIX V4.0
        specification.  We suggested that that  might  be  a  better  job  for
        Mitre.  Paul Vazquez will look into it.

        We added the working DNSIX V4.0 profile to the TSWG numbering  system,
        and  at  the  same  time,  corrected  the  title  of TSIG-TSESS-3.  In
        addition, although the TSIG-TSESS-6 document is the minutes  from  the
        January  `92  meeting,  we  agreed  that  minutes  are not appropriate
        documents to be placed in the numbering registry.   So,  the  complete
        registry at this time is:

        Document            Title                               Author
        ----------------    ----------------------------------  -------------
        TSIG-TSESS-1-1.2    TSIG Framework for Trusted Session
                            Protocols                           Bill Griffeth
        TSIG-TSESS-2-1.1    TSIG Commercial Multi-level
                            Distributed Security Profile        Doug Barlow
        TSIG-TSESS-3-1.1    MaxSix Proposal for DNSIX V3.0
                            Profile                             Perry Flynn
        TSIG-TSESS-4-1.0    Trusted Realm Environment Exchange
                            Service (TREES)                     Doug Barlow
        TSIG-TSESS-5-1.0    TSIG Auditable Events for Trusted
                            Sessions                            Julie LeMoine
        TSIG-TSESS-6-1.0    Minutes of January 1992 TSWG
                            Meeting                             Bill Griffeth
        TSIG-TSESS-7-1.0    TSIG DNSIX V4.0 Security Profile    Doug Barlow

        Finally, the group unanimously reaffirmed Julie LeMoine as  the  group
        chair based solely on her outstanding performance to date.