John,
As long as the text makes it clear that the wrapped label may be different
form the inner label and that access control is a local issue, I think this
end the dabate on matching security lables.
There is a seperate debate about applying counter signatures at the same
signeddata level and applying wrapping signatures. but that is a seperate
issue.
-----Original Message-----
From: John Pawling <jsp(_at_)jgvandyke(_dot_)com>
To: John Ross <ross(_at_)jgross(_dot_)demon(_dot_)co(_dot_)uk>;
ietf-smime(_at_)imc(_dot_)org
<ietf-smime(_at_)imc(_dot_)org>; Paul Hoffman / IMC
<phoffman(_at_)imc(_dot_)org>
Date: Tuesday, April 14, 1998 1:20 PM
Subject: Re: The big picture in eSSSecurityLabels
John,
The ESS I-D eSSSecurityLabels can be different in the inner and outer
signedData layers.
Also, as the ESS text is now, my understanding is that the originators
security label
is mandated
The inclusion of an eSSSecurityLabel is optional.
and must be part of the recipients access control
rules even it the label has no semantics in the receiving domain.
ESS does not mandate what action is taken when an access control error
occurs. That is a matter of local policy.
Those are the two issue I am arguing against.
JR