John:
I disagree with your handling of security label. MLAs should not modify an
existing security label attribute. This action would encourage label
translation.
I suggest that we permit the addition of a security label if it is absent,
but otherwise the MLA should preserve the outter security label.
Russ
At 08:53 AM 2/18/98 -0500, John Pawling wrote:
All,
The 16 Feb 98 ESS, sec 4.2, intro, 3rd para, states:
"When the MLA creates the new attribute list for its signature, the MLA
MUST propagate forward each attribute in the old signature, unless the MLA
explicitly replaces the attribute with a new value. An MLA will frequently
encounter attributes, or parts of attributes, which it does not
understand. Attributes such as security labels cannot be removed from
the new signature being created without compromising the security of the
system. Because it is impossible to enumerate the future list of attributes
which have security implicitions, an MLA MUST propagate forward all
attributes which it does not explicity replace."
I agree with the intent of the aforementioned paragraph that the MLA MUST
propagate forward each authenticated attribute present in the old outermost
signature, unless the MLA explicitly replaces the attribute with a new
value. However, I disagree with some of the other statements in the text
and I believe that the text needs to be more precise. Propose that the
aforementioned text should be deleted and that the following changes should
replace it:
1) sec 4.2.2, bullet 3.2.1 should be changed as follows:
OLD: 3.2.1. The MLA strips the existing outermost SignedData layer after
remembering the value of the mlExpansionHistory attribute in that
layer, if one was there.
NEW: 3.2.1. The MLA strips the existing outermost SignedData layer after
remembering the value of the mlExpansionHistory and all other
authenticated attributes in that layer, if present.
2) sec 4.2.2, bullet 3.2.3, first para, should be changed as follows:
OLD: 3.2.3. The MLA adds an mlExpansionHistory attribute. The SignedData
layer created by the MLA replaces the original outermost SignedData
layer.
NEW: 3.2.3. The outermost signedData layer created by the MLA replaces the
original
outermost signedData layer. The MLA MUST create an
authenticated
attribute list for the new outermost signedData layer which
MUST include
each authenticated attribute present in the original outermost
signedData
layer, unless the MLA explicitly replaces the attribute with a
new value.
For example, the MLA MUST include the securityLabel attribute
present in the
original outermost signedData layer unless it replaces that
attribute with
a new securityLabel attribute that it creates. A special case
is the
mlExpansionHistory attribute. The MLA MUST add an
mlExpansionHistory
authenticated attribute to the outer signedData layer as
follows: ....
Note: The proposed 3.2.3 change specifies that the MLA can replace the
securityLabel in the outermost signedData layer, not the innermost
signedData layer. The MLA can never change any of the authenticated
attributes in the innermost signedData layer (including the securityLabel)
because that would break the original signer's signature of the innermost
signedData layer.
================================
John Pawling
jsp(_at_)jgvandyke(_dot_)com
J.G. Van Dyke & Associates, Inc.
================================