ietf-smime
[Top] [All Lists]

draft-ietf-smime-seclabel-00.txt

2000-03-22 19:08:08
Weston:

I have two questions about the Internet-Draft.

QUESTION 1.

The Amoco policy defines confidentiality hierarchy and an integrity hierarchy. In practice, is a piece of information marked with a confidentiality value, an integrity value, or both? The ASN.1 defined in the document leads me to believe that a particular piece of information has either a confidentiality value or an integrity value, but never both.

You included the following ASN.1:
     Amoco-SecurityClassification ::=  {
       amoco general (6),
       amoco confidential (7),
       amoco highly confidential (8),
       amoco minimum (9),
       amoco medium (10),
       amoco maximum (11)  }

Since the classification in the ESS security label is a single INTEGER, only one of these values may be present in a particular instance of a security label.

Is the integrity value ever used to make an access control decision? If not, then perhaps the integrity value should be carried in the privacy mark.

QUESTION 2.

In the Whirlpool section, you say:

     For WHIRLPOOL INTERNAL, additional markings or caveats are option at the
     discretion of the information owner.

For WHIRLPOOL CONFIDENTIAL, add additional marking or caveats as necessary to comply with regulatory or heightened security requirements. Examples: MAKE NO
     COPIES, THIRD PARTY CONFIDENTIAL, ATTORNEY-CLIENT PRIVILEGED DOCUMENT,
     DISTRIBUTION LIMITED TO ____, COVERED BY A NON-ANALYSIS AGREEMENT.

The examples listed can be characterized as guidance to the information recipient about how the needs to be handled. Mostly, guidance is provided about the redistribution of the information. Since these are examples, I wonder if there is a example of a caveat on which one might expect automated access control.

Russ
<Prev in Thread] Current Thread [Next in Thread>
  • draft-ietf-smime-seclabel-00.txt, Russ Housley <=