From: Paul Moore <paul.moore@hp.com>
To: "David P. Quigley" <dpquigl@tycho.nsa.gov>
Cc: Joy Latten <latten@austin.ibm.com>,
gcwilson@us.ibm.com, selinux@tycho.nsa.gov, serue@us.ibm.com,
tjaeger@cse.psu.edu
Subject: Re: [RFC 1/2] labeled ipsec internet drafts
Date: Wed, 27 Aug 2008 17:56:22 -0400 [thread overview]
Message-ID: <200808271756.22660.paul.moore@hp.com> (raw)
In-Reply-To: <1219872077.2627.95.camel@moss-terrapins.epoch.ncsc.mil>
On Wednesday 27 August 2008 5:21:17 pm David P. Quigley wrote:
> I would like Paul to give his opinion on this as well but I think the
> best thing at the moment would be go submit your draft where the DOI
> is a tuple of (mechanism,doi). I personally like the idea of
> representing the 32 bit value as a series of four octets for human
> readable purposes but your idea does have some merit with regards to
> what information should be stored with these numbers by IANA. By
> having your draft out there recommending your method of handling DOIs
> it gives people one more thing to consider for discussion during the
> BOF.
Our emails may have crossed in flight, but just in case it isn't clear
from the response I sent earlier this afternoon I think we are best
served with the DOI as a unified 32 bit value (the dotted notation is
just for display/readability purposes).
I would encourage us to stop thinking about specific DOI values
as "SELinux", "Smack", or whatever. There is no reason we can't get
the different labeled security implementation to work together but if
we continue to propagate the notion of implementation specific DOIs
then it becomes that much harder. I think we need to think of DOIs as
defining a mapping between an on-the-wire label format to a semantic
meaning; the actual format of the wire label isn't important, the
meaning of the label is what really counts. Once we understand what a
wire formatted label means we can internalize it however we need to so
that the implementation can do the necessary access control.
Once again, think of how we handle the MLS-only CIPSO labels today; it
is a simplified example but it demonstrates the basic concept of
internalizing implementation agnostic security labels and the
interoperability benefits that result.
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-08-27 21:56 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-25 20:46 [RFC 1/2] labeled ipsec internet drafts Joy Latten
2008-08-25 21:42 ` David P. Quigley
2008-08-26 17:17 ` Joy Latten
2008-08-26 20:24 ` David P. Quigley
2008-08-27 16:17 ` Joy Latten
2008-08-27 16:49 ` David P. Quigley
2008-08-27 18:41 ` Joy Latten
2008-08-27 20:50 ` Paul Moore
2008-08-27 21:33 ` David P. Quigley
2008-08-27 22:56 ` Joy Latten
2008-08-28 16:08 ` Paul Moore
2008-08-27 23:27 ` Joy Latten
2008-08-28 15:44 ` Paul Moore
2008-08-27 21:21 ` David P. Quigley
2008-08-27 21:56 ` Paul Moore [this message]
2008-08-27 22:00 ` David P. Quigley
2008-08-28 15:49 ` Paul Moore
2008-08-28 0:22 ` Joy Latten
2008-08-28 1:30 ` Casey Schaufler
2008-08-28 15:58 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2008-07-25 17:51 Joy Latten
2008-07-26 16:34 ` Paul Moore
2008-07-26 16:34 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200808271756.22660.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=dpquigl@tycho.nsa.gov \
--cc=gcwilson@us.ibm.com \
--cc=latten@austin.ibm.com \
--cc=selinux@tycho.nsa.gov \
--cc=serue@us.ibm.com \
--cc=tjaeger@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.