Sorry I was not at the meeting on Monday but airplane mechanical problems
were my demise.
Anyhow, please see the info below as this was my presentation material. The
main area of work now is taking the security category syntax and working
examples for each tag. But I am hoping to receive comments on the syntax
(or any other area of the doc) as it is based on other work but is
different.
thanks,
Weston
Mapping Company Classification Policy to the S/MIME Security Label
July 31, 2000
Purpose
- Informational RFC
- Build on Security Label feature defined in ESS
- Show how Security Label can used to implement an organizational security
policy
Have
- Classification Policies and OIDs for:
Amoco Corporation
General, Confidential, Highly Confidential
Caterpillar Inc
Public, Confidential Green, Confidential Yellow,
Confidential Red
Whirlpool Corporation
Public, Internal, Confidential
- Privacy Mark examples
- Security Category syntax
Need
- Comments on 2nd draft
- Generic S/MIME securityCategoryType OID <= request made for a SMIME oid
for this
- Security Category examples
Security Category Syntax
SecurityCategoryValues ::= SEQUENCE OF SecurityCategoryTagGroup
SecurityCategoryTagGroup ::= SEQUENCE {
securityCategoryTagGroupName OBJECT IDENTIFIER, <=
request made for test Whirlpool OID
securityCategoryTagGroup SEQUENCE OF SecurityCategoryTag}
SecurityCategoryTag ::= CHOICE {
restrictiveBitMap [0] BIT STRING,
permissiveBitMap [1] BIT STRING,
noAccessControlBitMap [2] BIT STRING,
restrictiveEnumerated [3] SEQUENCE OF INTEGER,
permissiveEnumerated [4] SEQUENCE OF INTEGER,
noAccessControlEnumerated [5] SEQUENCE OF INTEGER}
Restrictive Bit Map Tag
Access must be restricted to only those messages whose set of attributes is
a subset of the attributes for the message recipient.
Security compartments and caveats are examples of restrictive security
attributes.
Permissive Bit Map Tag
A message can be accepted if the recipient belongs to any of the release
groups in the release permission list on the message label.
For example, the label on entities to be available only to members of an
organization's Personnel Office.
No Access Control Bit Map Tag
Represent security category values for which no access control check is
required (e.g. originator controlled data)
Restrictive Enumerated Tag
Access must be restricted to only those messages whose set of attributes is
a subset of the attributes for the recipient.
An example of attributes enumerated by this tag are compartments.
Permissive Enumerated Tag
A message can be accepted if the recipient belongs to any of the release
groups in the release permission list on the message label.
An example of attributes enumerated by this tag are release permissions.
No Access Control Enumerated Tag
Represents security category values for which no access control check is
required (e.g. list of country codes).
3rd Draft
- fix errors, clarify wording as necessary
- add examples as needed and marked now by << >>
- address comments
- September ?
Weston Nicolls, CISSP
Sr. Manager, Professional Services
E-Commerce and Cryptography
Telenisus Corporation - Managed Hosting, VPN, Authentication, Firewall and
IDS Services
(847) 871-5086