[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)

From: "Santosh Chokhani" <SChokhani at cygnacom.com>
To: "Nicolas Williams" <Nicolas.Williams at sun.com>
Cc: labeled-nfs at linux-nfs.org, selinux at tycho.nsa.gov, saag at ietf.org, nfs-discuss at opensolaris.org, nfsv4 at ietf.org
Date: Fri, 3 Apr 2009 13:34:23 -0400
In-reply-to: <20090403154253.GZ1500 at Sun.COM>
References: <20090402154402.GM1500 at Sun.COM> <FAD1CF17F2A45B43ADE04E140BA83D48A9FF82 at scygexch1.cygnacom.com> <20090403154253.GZ1500 at Sun.COM>

The work I am mentioning was done for NSA and can be released if NSA is
ok with it.

I suspect NSA will be ok with it. 

> -----Original Message-----
> From: Nicolas Williams [mailto:Nicolas.Williams at sun.com] 
> Sent: Friday, April 03, 2009 11:43 AM
> To: Santosh Chokhani
> Cc: saag at ietf.org; labeled-nfs at linux-nfs.org; 
> nfs-discuss at opensolaris.org; nfsv4 at ietf.org; selinux at tycho.nsa.gov
> Subject: Re: [saag] Common labeled security (comment on 
> CALIPSO, labeled NFSv4)
> 
> On Fri, Apr 03, 2009 at 11:22:38AM -0400, Santosh Chokhani wrote:
> > As part of MISSI and DMS, in mid to late 90's we did work 
> on something 
> > called Security Policy Information File (SPIF).
> 
> Oh, very nice!  Thanks for the pointer.  That would be 
> ISO15816.  I've found the spec, though it's non-free (hadn't 
> they learned the lesson with ASN.1??  will they ever learn it??).
> 
> > At high level SPIF entailed the following:
> > 
> > 1.  It was ASN.1 based.
> 
> Not surprisingly :)  Converting that to XML is probably the 
> correct first step in order to ensure adoption, sadly.  
> (Actually, apparently that has already been done once, though 
> outside the ISO/ITU-T.)
> 
> > 2.  It permitted you to convert the machine representation to human 
> > readable representation.
> > 3.  It permitted you to convert the human readable input to machine 
> > representation.
> > 4.  It mapped labels (hierarchical sensitivity levels and 
> > non-hierarchical categories) from one labeling policy to another 
> > (i.e., establish equivalency mapping) 5.  It allowed you to 
> constrain 
> > labels since for some policies, existence of a category may 
> mean some 
> > categories, levels, may be included and/or excluded.
> > 
> > Different labeling policies were indicated by different policy OID.
> > 
> > Some of the concept from that work may be applicable here. 
> 
> I think so!  Except for the part about this spec being 
> non-free.  I think that means: start over in the IETF.
> 
> Nico
> -- 
>

Follow-Ups:
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Nicolas Williams

References:
- [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Nicolas Williams
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Santosh Chokhani
- Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
  - From: Nicolas Williams

Prev by Date: Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
Next by Date: Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
Previous by thread: Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
Next by thread: Re: [saag] Common labeled security (comment on CALIPSO, labeled NFSv4)
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.