Re: key management

["Perry E. Metzger" <perry@imsi.com>]

Charlie Watt says:
> Unfortunately this is incorrect.  MaxSix -- the multilevel-secure network 
> implementation commonly implemented on Compartmented Mode Workstations and 
> other MLS systems -- is an example of a network layer security protocol.
> The single biggest mistake made in the original version of MaxSix was the
> passing of process-related security attributes (identity information, 
> labels, etc...) at the network layer protocol.

There was no suggestion here that network layer information pass
process related security information. There was only a suggestion that
transports should be able to specify that a particular SAID should be
used for a particular packet -- i.e. that it should be possible to
specify a SAID be used for a particular socket. There was no stated
requirement that a particular application need use this capacity.

You mention NFS as a problem. Nothing we've discussed forces you to
use a particular model for how NFS is to be handled. It only provides
you with the capability to have different NFS requests handled with
different SAIDs -- if and only if you, as the secure NFS implementor,
choose to. I see nothing wrong with this. It is useful in the majority
of cases. The fact that in some small set of cases it is not useful
does not mean that we should not provide the capacity to the 80% of
cases where it is worthwhile.

Perry

---

Follow-Ups:

• Re: key management
• From: Charlie Watt <watt@sware.com>

References:

• Re: key management
• From: Charlie Watt <watt@sware.com>

---

• Prev by Date: Re: Re[2]: key management
• Next by Date: Re: key management
• Prev by thread: Re: key management
• Next by thread: Re: key management
• Index(es):
  • Main
  • Thread