Kurt, Thanks. On the issue of authorization to "label" an object, I assume you are not saying that write authorizations need to be separate from read authorization. I suspect you are saying that since one may be providing information to multiple parties operating under different policies, one may need to label the information for each party. SDN series took care of this by providing the subject clearance in X.509 certificate in the subject's policy domain. These clearance checks are made during message creation. It is required that the SPIF in the recipient policy domain use the equivalency mapping to enforce the access control, just like the subject makes these checks in their domain. To illustrate, Let us say that subject A has clearance asserted in policy X and has a SPIF that specifies policy X and maps policy X to Y. Let us say that subject B has clearance asserted in policy Y and has a SPIF that specifies policy Y and maps policy Y to X. Now, under the reader to writer security model, the following should occur: 1. When A creates a message for B with label L, A's clearance under policy X to create label L can be checked. Also, B's clearance under Policy Y can be converted to equivalent under Policy X using SPIF X. Then, it can be determined if B is allowed to receive message with Label L. 2. B can do a mirror image of this when B receives the message. This approach also fits nicely with the traditional subject, subject clearance, object, object label, and MAC policy in the computer security world. Alternative means can be explored if SPIF equivalency is deemed overly complex. I hope once the alternative solutions are developed, their complexity and SPIF complexity due to equivalency will be compared to determine which solution is the best. > -----Original Message----- > From: Kurt Zeilenga [mailto:Kurt.Zeilenga at Isode.com] > Sent: Saturday, April 04, 2009 2:44 PM > To: Russ Housley > Cc: Santosh Chokhani; saag at ietf.org; > labeled-nfs at linux-nfs.org; selinux at tycho.nsa.gov; > nfsv4 at ietf.org; nfs-discuss at opensolaris.org > Subject: Re: [saag] Common labeled security (comment on > CALIPSO, labeled NFSv4) > > > On Apr 3, 2009, at 9:44 AM, Russ Housley wrote: > > > I really do not have time to write about all of my concerns. > > Understand. It might be a long write-up! > > > However, once you get beyond the basic classifications, the > SPIF model > > breaks. > > I would say that the SPIF model discussed in SDN 801 has some > significant limitations. Dealing with the "black project" > problem you allude to is certainly one of them. Another is > that the SPIF only describes authorization to access (e.g., > read) an object (given the policy, the object's label, and > the accessor's clearance). It doesn't describes what labels > an entity is allowed to use in labeling an object. While one > might assume that "right to read" implies a "right to label", > this assumption is only useful in simple environments. It > cannot handle various national or international policies. > > I do think there is a need to develop a SPIF replacement that > addresses various limitations, and would be willing to > provide input in such an effort. However, it needs to be > driven by key stakeholders. > > Until there is a suitable SPIF replacement for labeling at > the application level (e.g., Directory, email, XMPP), I'll > continue to implement SPIF-based solutions as simply there > simply ain't anything better policy-neutral solution (that > I'm aware of)... and that's what my customers are asking for > (as they find it useful in their use cases). > > -- Kurt >
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.