A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : Requirements for Message Access Control
Author(s) : Trevor Freeman
Jim Schaad
Patrick Patterson
Filename : draft-freeman-message-access-control-req-01.txt
Pages : 20
Date : 2011-05-27
There are many situations where organizations want to include
information which is subject to regulatory or other complex access
control policy in email. Regulated information requires some form of
robust access control to protect the confidentiality of the
information. The Enhanced Security Services for S/MIME [rfc2634]
defines an access control mechanism for S/MIME (eSSSecurityLabel).
This is a signed attribute of a SignedData object which indicates the
access control policy for the message. The fact that this is a signed
attribute protects the integrity of the data and the binding of the
label to the message but does not protect the confidentiality of the
information i.e. at the point where you lean the access control policy
to the data you also have access to the data. While the signature
provides integrity for the label over the clear text, it is
susceptible to unauthorized removal i.e. if you only have SignedData
message, any MTA in the mail path can remove a signature layer and
therefore remove the access control data. Encrypting the signed
message protects the confidentiality of the data and protects the
SignedData from unauthorized removal but this hides the ESS security
label.
From a regulatory enforcement perspective this is an extremely weak
form of access control because cryptographic access to the data is
given before the access check. The correct enforcement of the access
check totally depends on the configuration of the recipients email
client. Since the cryptographic access is granted before the access
checks, there is no significant impediment for a recipient who is
unauthorized under the policy to access the data. A stronger
enforcement model is needed for regulatory control for email where
cryptographic access is only granted after the access check.
There are also many users on the Internet today who have some form of
authentication credential but they are not X.509 certificates and who
therefore cannot use S/MIME. There are now available, standard based
services (e.g. [SAML-overview]) which abstract the specifics of a
technology used to authenticate uses from the application itself
(S/MIME in this case). Adoption of this abstraction model would enable
a broader set of users who have other types to authentication
credentials to be able to use S/MIME to secure email. It also allows
for new authentication technology to be deployed without impacting the
core S/MIME protocol.
This document specifies the requirements for:-
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-freeman-message-access-control-req-01.txt
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-freeman-message-access-control-req-01.txt
_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
