draft-ietf-smime-seclabel-02.txt   draft-ietf-smime-seclabel-03.txt 
S/MIME Working Group Weston Nicolls S/MIME Working Group Weston Nicolls
INTERNET DRAFT Telenisus Corporation INTERNET-DRAFT Telenisus Corporation
Expires in six months October 2000 Expires July, 2001 January 2001
Implementing Company Classification Policy Implementing Company Classification Policy
with the S/MIME Security Label with the S/MIME Security Label
<draft-ietf-smime-seclabel-02.txt> <draft-ietf-smime-seclabel-03.txt>
Status of this memo Status of this memo
This document is an Internet-Draft and is in full conformance with all This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of [RFC2026]. provisions of Section 10 of [RFC2026].
This document is an Internet-Draft. Internet-Drafts are working documents Internet-Drafts are working documents of the Internet Engineering Task
of the Internet Engineering Task Force (IETF), its areas, and its working Force (IETF), its areas, and its working groups. Note that other groups
groups. Note that other groups may also distribute working documents as may also distribute working documents as Internet-Drafts.
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and Internet-Drafts are draft documents valid for a maximum of six months and
may be updated, replaced, or obsoleted by other documents at any time. It may be updated, replaced, or obsoleted by other documents at any time. It
is inappropriate to use Internet-Drafts as reference material or to cite is inappropriate to use Internet-Drafts as reference material or to cite
them other than as "work in progress." them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Copyright (C) The Internet Society (2001). All Rights Reserved.
1. Introduction 1. Introduction
This document discusses how company security policy for data classification This document discusses how company security policy for data classification
can be mapped to the S/MIME security label. Actual policies from 3 companies can be mapped to the S/MIME security label. Actual policies from 3 companies
are used to provide worked examples. are used to provide worked examples.
Security labels are an optional security service for S/MIME. A security label Security labels are an optional security service for S/MIME. A security label
is a set of security information regarding the sensitivity of the content is a set of security information regarding the sensitivity of the content
that is protected by S/MIME encapsulation. A security label can be included that is protected by S/MIME encapsulation. A security label can be included
in the signed attributes of any SignedData object. A security label attribute in the signed attributes of any SignedData object. A security label attribute
skipping to change at line 61 skipping to change at line 62
1.1 Information Classification Policies 1.1 Information Classification Policies
Information is an asset, but not all information has the same value for a Information is an asset, but not all information has the same value for a
business. Not all information needs to be protected as strongly as other business. Not all information needs to be protected as strongly as other
information. information.
Research and development plans, marketing strategies and manufacturing quality Research and development plans, marketing strategies and manufacturing quality
specifications developed and used by a company provide competitive advantage. specifications developed and used by a company provide competitive advantage.
This type of information needs stronger protective measures than other This type of information needs stronger protective measures than other
information, which if disclosed or modified, would cause little or no damage to information, which if disclosed or modified, would cause moderate to severe
the company. damage to the company.
Other types of information such as internal organization charts, employee lists Other types of information such as internal organization charts, employee lists
and policies may need little and no protective measures based on value the and policies may need little and no protective measures based on value the
organization places on it. organization places on it.
A corporate information classification policy defines how its information assets A corporate information classification policy defines how its information assets
are to be protected. It provides guidance to employees on how to classify are to be protected. It provides guidance to employees on how to classify
information assets. It defines how to label and protect an asset based on its information assets. It defines how to label and protect an asset based on its
classification and state (e.g. facsimile, electronic transfer, storage, classification and state (e.g. facsimile, electronic transfer, storage,
shipping, etc.). shipping, etc.).
skipping to change at line 181 skipping to change at line 182
controls to ensure a minimal level of assurance that the integrity of the data controls to ensure a minimal level of assurance that the integrity of the data
is maintained. This applies to all data that is not placed in one of the above is maintained. This applies to all data that is not placed in one of the above
classifications. Examples: Lease Production Data, Expense Data, Financial Data, classifications. Examples: Lease Production Data, Expense Data, Financial Data,
and Exploration Data. and Exploration Data.
CRITICAL - It is important to assess the availability requirements of data, CRITICAL - It is important to assess the availability requirements of data,
applications and systems. A business decision will be required to determine the applications and systems. A business decision will be required to determine the
length of unavailability that can be tolerated prior to expending additional length of unavailability that can be tolerated prior to expending additional
resources to ensure the information availability that is required. Information resources to ensure the information availability that is required. Information
should be labeled "CRITICAL" if it is determined that special procedures should should be labeled "CRITICAL" if it is determined that special procedures should
be used to ensure its' availability. be used to ensure its availability.
2.1.2 Caterpillar, Inc. 2.1.2 Caterpillar, Inc.
The description for the Caterpillar information classification policy is taken The description for the Caterpillar information classification policy is taken
from the Caterpillar Information Protection Guidelines. Caterpillar classifies from the Caterpillar Information Protection Guidelines. Caterpillar classifies
its information assets based on confidentiality and defines 4 hierarchical its information assets based on confidentiality and defines 4 hierarchical
classifications. classifications.
Caterpillar Confidential Red - Provides a significant competitive advantage. Caterpillar Confidential Red - Provides a significant competitive advantage.
Disclosure would cause severe damage to operations. Relates to or describes a Disclosure would cause severe damage to operations. Relates to or describes a
skipping to change at line 246 skipping to change at line 247
data; merger/acquisition, product, or marketing plans; new product designs, data; merger/acquisition, product, or marketing plans; new product designs,
proprietary processes and systems. proprietary processes and systems.
WHIRLPOOL INTERNAL - All forms of proprietary information originated or owned by WHIRLPOOL INTERNAL - All forms of proprietary information originated or owned by
Whirlpool, or entrusted to it by others. Examples: Organization charts, Whirlpool, or entrusted to it by others. Examples: Organization charts,
policies, procedures, phone directories, some types of training materials. policies, procedures, phone directories, some types of training materials.
WHIRLPOOL PUBLIC - Information officially released by Whirlpool for widespread WHIRLPOOL PUBLIC - Information officially released by Whirlpool for widespread
public disclosure. Example: Press releases, public marketing materials, public disclosure. Example: Press releases, public marketing materials,
employment advertising, annual reports, product brochures, the public web site, employment advertising, annual reports, product brochures, the public web site,
etc etc.
The policy also states that privacy markings are allowable. Specifically: The policy also states that privacy markings are allowable. Specifically:
For WHIRLPOOL INTERNAL, additional markings or caveats are optional at the For WHIRLPOOL INTERNAL, additional markings or caveats are optional at the
discretion of the information owner. discretion of the information owner.
For WHIRLPOOL CONFIDENTIAL, add additional marking or caveats as necessary to For WHIRLPOOL CONFIDENTIAL, add additional marking or caveats as necessary to
comply with regulatory or heightened security requirements. Examples: MAKE NO comply with regulatory or heightened security requirements. Examples: MAKE NO
COPIES, THIRD PARTY CONFIDENTIAL, ATTORNEY-CLIENT PRIVILEGED DOCUMENT, COPIES, THIRD PARTY CONFIDENTIAL, ATTORNEY-CLIENT PRIVILEGED DOCUMENT,
DISTRIBUTION LIMITED TO ____, COVERED BY A NON-ANALYSIS AGREEMENT. DISTRIBUTION LIMITED TO ____, COVERED BY A NON-ANALYSIS AGREEMENT.
2.2 S/MIME Classification Label Developed Examples 2.2 S/MIME Classification Label Organizational Examples
[ESS] defines the ESSSecurityLabel syntax and processing rules. This section [ESS] defines the ESSSecurityLabel syntax and processing rules. This section
builds upon those definitions to define detailed example policies. builds upon those definitions to define detailed example policies.
2.2.1 Security Label Components 2.2.1 Security Label Components
The examples are detailed using the various components of the eSSSecurity Label The examples are detailed using the various components of the eSSSecurity Label
syntax. syntax.
2.2.1.1 Security Policy Identifier 2.2.1.1 Security Policy Identifier
skipping to change at line 296 skipping to change at line 297
id-tsp-TEST-Amoco OBJECT IDENTIFIER ::= { id-tsp 1 } id-tsp-TEST-Amoco OBJECT IDENTIFIER ::= { id-tsp 1 }
id-tsp-TEST-Caterpillar OBJECT IDENTIFIER ::= { id-tsp 2 } id-tsp-TEST-Caterpillar OBJECT IDENTIFIER ::= { id-tsp 2 }
id-tsp-TEST-Whirlpool OBJECT IDENTIFIER ::= { id-tsp 3 } id-tsp-TEST-Whirlpool OBJECT IDENTIFIER ::= { id-tsp 3 }
2.2.1.2 Security Classification 2.2.1.2 Security Classification
The security classification values and meanings are defined by the governing The security classification values and meanings are defined by the governing
company policies. The security-classification values defined are hierarchical company policies. The security-classification values defined are hierarchical
and do not use integers 0 through 5. and do not use integers 0 through 5.
Amoco-SecurityClassification ::= { Amoco-SecurityClassification ::= INTEGER {
amoco general (6), amoco-general (6),
amoco confidential (7), amoco-confidential (7),
amoco highly confidential (8) } (0..ub-integer-options) amoco-highly-confidential (8) }
Caterpillar-SecurityClassification values ::= { Caterpillar-SecurityClassification ::= INTEGER {
caterpillar public (6), caterpillar-public (6),
caterpillar green (7), caterpillar-green (7),
caterpillar yellow (8), caterpillar-yellow (8),
caterpillar red (9) } (0..ub-integer-options) caterpillar-red (9) }
Whirlpool-SecurityClassification values ::= { Whirlpool-SecurityClassification ::= INTEGER {
whirlpool public (6), whirlpool-public (6),
whirlpool internal (7), whirlpool-internal (7),
whirlpool confidential (8) } (0..ub-integer-options) whirlpool-confidential (8) }
2.2.1.3 Privacy Mark 2.2.1.3 Privacy Mark
Privacy marks are specified the Whirlpool policy. The policy provides examples Privacy marks are specified the Whirlpool policy. The policy provides examples
of possible markings but others can be defined by users as necessary (though no of possible markings but others can be defined by users as necessary (though no
guidance is given). The Whirlpool policy provides the following examples: guidance is given). The Whirlpool policy provides the following examples:
MAKE NO COPIES, THIRD PARTY CONFIDENTIAL, ATTORNEY-CLIENT PRIVILEGED DOCUMENT, MAKE NO COPIES, THIRD PARTY CONFIDENTIAL, ATTORNEY-CLIENT PRIVILEGED DOCUMENT,
DISTRIBUTION LIMITED TO ____, and COVERED BY A NON-ANALYSIS AGREEMENT. DISTRIBUTION LIMITED TO ____, and COVERED BY A NON-ANALYSIS AGREEMENT.
The Amoco policy does not identify any privacy marks but the classification The Amoco policy does not identify any privacy marks but the classification
skipping to change at line 355 skipping to change at line 356
ub-security-categories INTEGER ::= 64 ub-security-categories INTEGER ::= 64
SecurityCategory ::= SEQUENCE { SecurityCategory ::= SEQUENCE {
type [0] OBJECT IDENTIFIER type [0] OBJECT IDENTIFIER
value [1] ANY DEFINED BY type -- defined by type value [1] ANY DEFINED BY type -- defined by type
One example of a SecurityCategory syntax is SecurityCategoryValues, as follows. One example of a SecurityCategory syntax is SecurityCategoryValues, as follows.
When id-securityCategoryValues is present in the SecurityCategory type field, When id-securityCategoryValues is present in the SecurityCategory type field,
then the SecurityCategory value field could take the form of then the SecurityCategory value field could take the form of:
SecurityCategoryValues as follows:
SecurityCategoryValues ::= SEQUENCE OF UTF8String SecurityCategoryValues ::= SEQUENCE OF UTF8String
2.2.1.4.2 Use 2.2.1.4.2 Use
An organization will define a securityCategoryType OID representing the An organization will define a securityCategoryType OID representing the
syntax for representing a security category value within their security policy. syntax for representing a security category value within their security policy.
For the example security category syntax, a UTF8String is used to convey the For the example security category syntax, a UTF8String is used to convey the
security category value that applies to the labeled message. Access MUST be security category value that applies to the labeled message. Access MUST be
restricted to only those entities who are authorized to access every restricted to only those entities who are authorized to access every
SecurityCategoryValue. Access is authorized if the ESSSecurity Label SecurityCategoryValue. Access is authorized if the ESSSecurity Label
SecurityCategoryValue EXACTLY matches the Clearance SecurityCategoryValue. SecurityCategoryValue EXACTLY matches the Clearance SecurityCategoryValue.
2.2.1.4.3 Security Category Example 2.2.2 Attribute Owner Clearance
The security clearance and category authorizations for the user are defined in
the clearance attribute.
2.2.2.1 Amoco User
Clearance:
policyId: 1 2 840 113549 1 9 16 7 1
classList: amoco-general (6),
amoco-confidential (7),
amoco-highly confidential (8),
2.2.2.2 Caterpillar User
Clearance:
policyId: 1 2 840 113549 1 9 16 7 2
classList: caterpillar-public (6),
caterpillar-confidential greeen (7),
caterpillar-confidential yellow (8),
caterpillar-confidential red (9)
2.2.2.3 Whirlpool User
Clearance:
policyId: 1 2 840 113549 1 9 16 7 3
classList: whirlpool-public (6),
whirlpool-internal (7),
whirlpool-confidential (8),
2.2.3 Security Category Example
This section includes an example RFC 2634 ESSSecurityLabel including the example This section includes an example RFC 2634 ESSSecurityLabel including the example
Security Category syntax. This section also includes example X.501 Security Category syntax. This section also includes example X.501
Clearance attributes. One of the example Clearance attributes includes a Clearance attributes. One of the example Clearance attributes includes a
set of authorizations that pass the access control check for the example set of authorizations that pass the access control check for the example
ESSSecurityLabel. The other example Clearance attributes each include a set ESSSecurityLabel. The other example Clearance attributes each include a set
of authorizations that fail the access control check for the example of authorizations that fail the access control check for the example
ESSSecurityLabel. ESSSecurityLabel.
These examples use the id-tsp-TEST-Whirlpool OID defined These examples use the id-tsp-TEST-Whirlpool OID defined
in section 2.2.1.1. Assume that the security policy identified in section 2.2.1.1. Assume that the security policy identified
by id-tsp-TEST-Whirlpool defines one securityCategoryType OIDs as follows: by id-tsp-TEST-Whirlpool defines one securityCategoryType OIDs as follows:
id-tsp-TEST-Whirlpool-Categories OBJECT IDENTIFIER ::= { id-tsp 4 } id-tsp-TEST-Whirlpool-Categories OBJECT IDENTIFIER ::= { id-tsp 4 }
Example ESSSecurityLabel: Example ESSSecurityLabel:
ESSSecurityLabel:
security-policy-identifier: id-tsp-3 security-policy-identifier: id-tsp-3
security-classification: 9 security-classification: 8
privacy-mark: ATTORNEY-CLIENT PRIVILEGED INFORMATION privacy-mark: ATTORNEY-CLIENT PRIVILEGED INFORMATION
security-categories: SEQUENCE OF SecurityCategory security-categories: SEQUENCE OF SecurityCategory
SecurityCategory #1 SecurityCategory #1
type: id-tsp-4 type: id-tsp-4
value: LAW DEPARTMENT USE ONLY value: LAW DEPARTMENT USE ONLY
Example Clearance Attribute #1 (passes access control check): Example Clearance Attribute #1 (passes access control check):
Clearance: Clearance:
policyId: id-tsp-3 policyId: id-tsp-3
classList BIT STRING: Bits 0, 1, 2, 9 are set to 1 classList BIT STRING: Bits 6, 7, 8 are set to TRUE
securityCategories: SEQUENCE OF SecurityCategory securityCategories: SEQUENCE OF SecurityCategory
SecurityCategory #1 SecurityCategory #1
type: id-tsp-4 type: id-tsp-4
value: LAW DEPARTMENT USE ONLY value: LAW DEPARTMENT USE ONLY
Example Clearance Attribute #2 (fails access control check because Example Clearance Attribute #2 (fails access control check because
SecurityCategoryValues do not match): SecurityCategoryValues do not match):
Clearance: Clearance:
policyId: id-tsp-3 policyId: id-tsp-3
classList BIT STRING: Bits 0, 1, 2, 9 are set to 1 classList BIT STRING: Bits 6, 7, 8 are set to TRUE
securityCategories: SEQUENCE OF SecurityCategory securityCategories: SEQUENCE OF SecurityCategory
SecurityCategory #1: SecurityCategory #1:
type: id-tsp-4 type: id-tsp-4
value: HUMAN RESOURCES USE ONLY value: HUMAN RESOURCES USE ONLY
2.2.2 Attribute Owner Clearance 2.2.4 Additional ESSSecurityLabel Processing Guidance
The security clearance and category authorizations for the user are defined in
the clearance attribute.
2.2.2.1 Amoco User
Clearance ::= SEQUENCE {
policyId 1 2 840 113549 1 9 16 7 1,
classList ClassList DEFAULT {general},
securityCategories
SET OF SecurityCategory OPTIONAL
}
ClassList ::= BIT STRING {
amoco general (6),
amoco confidential (7),
amoco highly confidential (8),
}
SecurityCategory ::= SEQUENCE {
type [0] IMPLICIT OBJECT IDENTIFIER,
value [1] ANY DEFINED BY type
}
2.2.2.2 Caterpillar User
Clearance ::= SEQUENCE {
policyId 1 2 840 113549 1 9 16 7 2,
classList ClassList DEFAULT {general},
securityCategories
SET OF SecurityCategory OPTIONAL
}
ClassList ::= BIT STRING {
caterpillar public (6),
caterpillar confidential greeen (7),
caterpillar confidential yellow (8),
caterpillar confidential red (9)
}
SecurityCategory ::= SEQUENCE {
type [0] IMPLICIT OBJECT IDENTIFIER,
value [1] ANY DEFINED BY type
}
2.2.2.3 Whirlpool User
Clearance ::= SEQUENCE {
policyId 1 2 840 113549 1 9 16 7 3,
classList ClassList DEFAULT {general},
securityCategories
SET OF SecurityCategory OPTIONAL
}
ClassList ::= BIT STRING {
whirlpool public (6),
whirlpool internal (7),
whirlpool confidential (8),
}
SecurityCategory ::= SEQUENCE {
type [0] IMPLICIT OBJECT IDENTIFIER,
value [1] ANY DEFINED BY type
}
2.2.3 Additional ESSSecurityLabel Processing Guidance
An implementation issue can be the mapping of the security label values to An implementation issue can be the mapping of the security label values to
displayable characters. This is an issue for users who want to develop and displayable characters. This is an issue for users who want to develop and
retire their own classifications and categories a regular basis and when the retire their own classifications and categories a regular basis and when the
values are encoded in non-human readable form. Applications values are encoded in non-human readable form. Applications
should provide a means for the enterprise to manage these changes. The practice should provide a means for the enterprise to manage these changes. The practice
of hard coding the mapping into the applications is discouraged. of hard coding the mapping into the applications is discouraged.
This issue is viewed as local issue for the application vendor, as the solution This issue is viewed as local issue for the application vendor, as the solution
does not need to be interoperable between vendors. does not need to be interoperable between vendors.
An approach is the use of a Security Policy Information File (SPIF)[X.sio]. A An approach is the use of a Security Policy Information File (SPIF)[ ISO15816].
SPIF is a construct that conveys domain-specific security policy information. A SPIF is a construct that conveys domain-specific security policy information.
It is a signed object to protect it from unauthorized changes and to It is a signed object to protect it from unauthorized changes and to
authenticate the source of the policy information. It contains critical display authenticate the source of the policy information. It contains critical display
information such as the text string for security classifications and security information such as the text string for security classifications and security
categories to be displayed to the user, as well as additional security policy categories to be displayed to the user, as well as additional security policy
information. information.
Another implementation issue can be obtaining the recipient's certificate when
sending a signed-only message with a security label. Normally the recipient's
certificate is only needed when sending an encrypted message. Applications will
need to be able to retrieve the recipient's certificate so that the recipient's
clearance information is available for the access control check.
3. Security Considerations 3. Security Considerations
All security considerations from [CMS] and [ESS] apply to applications that use All security considerations from [CMS] and [ESS] apply to applications that use
procedures described in this document. procedures described in this document.
A. References A. References
[AC509] Farrell, S., Housley, R., "An Internet Attribute Certificate Profile for [AC509] Farrell, S., Housley, R., "An Internet Attribute Certificate Profile for
Authorization", draft-ietf-pkix-ac509prof-03.txt. Authorization", draft-ietf-pkix-ac509prof-05.txt.
[CMS] Housley, R., "Cryptographic Message Syntax", RFC 2630. [CMS] Housley, R., "Cryptographic Message Syntax", RFC 2630.
[ESS] Hoffman, P., Editor, "Enhanced Security Services for S/MIME", RFC 2634. [ESS] Hoffman, P., Editor, "Enhanced Security Services for S/MIME", RFC 2634.
[MUSTSHOULD] Bradner, S., "Key Words for Use in RFCs to Indicate Requirement [MUSTSHOULD] Bradner, S., "Key Words for Use in RFCs to Indicate Requirement
Levels", RFC 2119. Levels", RFC 2119.
[X.501] "ITU-T Recommendation X.501: Information Technology - Open Systems [X.501] "ITU-T Recommendation X.501: Information Technology - Open Systems
Interconnection - The Directory: Models", 1993. Interconnection - The Directory: Models", 1993.
[X.509] "ITU-T Recommendation X.509 (1997 E): Information [X.509] "ITU-T Recommendation X.509 (1997 E): Information
Technology - Open Systems Interconnection - The Directory: Authentication Technology - Open Systems Interconnection - The Directory: Authentication
Framework", June 1997. Framework", June 1997.
[X.sio] "Information Technology - Security Techniques - Security Information [ISO15816] "Information Technology - Security Techniques - Security Information
Objects", IOS/IEC FCD 15816, 1999-11-12. Objects for Access Control", ISO/IEC FDIS 15816:2000.
B. Acknowledgements B. Acknowledgements
I would like to thank Russ Housley for helping me through the process of I would like to thank Russ Housley for helping me through the process of
developing this document. I would like to thank John Pawling for his technical developing this document. I would like to thank John Pawling for his technical
assistance and guidance. I would also like to thank the good people at (BP) assistance and guidance. I would also like to thank the good people at Amoco
Amoco, Caterpillar and Whirlpool who allowed me to use their policies as the (bp), Caterpillar and Whirlpool who allowed me to use their policies as the
real examples that make this document possible. real examples that make this document possible.
C. Author's Address C. Author's Address
Weston Nicolls Weston Nicolls
Telenisus Corporation (formerly with Ernst & Young LLP) Telenisus Corporation (formerly with Ernst & Young LLP)
1701 Golf Rd 1701 Golf Rd
Tower 3, Suite 600 Tower 3, Suite 600
Rolling Meadows, IL 60008 Rolling Meadows, IL 60008
(847) 871-5086 (847) 871-5086
wnicolls@telenisus.com wnicolls@telenisus.com
D. Open issues:
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/