On Thu, 2009-04-02 at 18:35 -0400, Paul Moore wrote: > On Thursday 02 April 2009 11:24:24 am Nicolas Williams wrote: > > On Wed, Apr 01, 2009 at 12:46:33PM -0400, Paul Moore wrote: > > > My only comment was that figuring out how to transfer information over > > > the network isn't really that important yet. Reading through the thread > > > I don't think there is general agreement on what we even need to send to > > > enable proper label translation/encoding/etc. > > > > I think we all agree that a client and server have to agree on the > > meaning of any given DOI number so that they can properly encode labels. > > > > In order to interop this means we need a common label encoding for any > > given DOI. > > > > I think we agree on that, no? > > Yep. Although I don't think we should try to force a single label encoding > for all DOIs (couldn't tell from your reply how far you wanted to take this); > using some combination of DOI+<opaque label> seems reasonable. > > > That leaves this problem: how to ensure that the client and server do > > actually agree as to a given DOI's label encodings? > > > > That's a big problem that to date has been solved by out-of-band > > mechanisms. That solution leaves interoperability in a lurch: it's up > > to vendors to cooperate to obtain a common security policy for use on > > the wire. > > Well, I think the trick is you define a security policy and label format in > the DOI and then leave it up to the various implementations to handle the > necessary internalization and import/export of the DOI. Perhaps we are in a > six-of-one/half-dozen-of-the-other discussion right now. I am just getting to read this thread. I find it interesting because the labeled ipsec draft expresses DOI + opaque string in similar manner as the labeled nfsv4 draft. Upon reading the thread, I agree with you, define a security policy and label format in the DOI and leave it up to implementation to handle internalization. I had always assumed the DOI would be handled by IANA and when a request was made for a new DOI number, a definition would be included. For example, DOI #5: mapping between MAC implementation A version xx, label policy B AND MAC implementation G version xx, label policy R. Or maybe something like, DOI #6: SElinux version XX, using MCS. The sys admin would determine based on local MAC, mappings, etc..., which DOI to use/communicate. This perhaps sounds somewhat primitive, but I am still processing all the info communicated in the thread. :-) regards, Joy -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
