As per pevious comments on compatiblity between X.411 security label and the
eSSScecurityLable, I think the following would offer more compatibility and
allow for the extended character set:
eSSSecurityLable::= Choice{
x411-security-label Security label,
version2-security-label Version2Securitylabel}
SecurityLabel ::= SET {
security-policy-identifier SecurityPolicyIdentifier OPTIONAL,
security-classification SecurityClassification OPTIONAL,
privacy-mark PrivacyMark OPTIONAL,
security-categories SecurityCategories OPTIONAL }
Version2SecurityLabel ::= SET {
security-policy-identifier SecurityPolicyIdentifier,
security-classification SecurityClassification OPTIONAL,
privacy-mark ExtendedPrivacyMark OPTIONAL,
security-categories SecurityCategories OPTIONAL }
ExtendedPrivacyMark ::= UTC-8 STRING.
Then rules can be specified, that mandate the X.411 label is generated
unless the extended character set is required, then version 2 security label
shall be generated.
The above should mean that any signature that signs over the x.411 label
will operate end to end even if it has to cross a gateway between a domian
that only suppports the X.411 securty label and a domain that supportes both
the X.411 and version2 labels.
I also think that maintains structual compatibility between the X.411 and
version2 signatures.
Any comments?
John Ross