[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Effective policy enforcement

To: ipsec@tis.com
Subject: Re: Effective policy enforcement
From: dpkemp@missi.ncsc.mil (David P. Kemp)
Date: Mon, 14 Apr 1997 12:14:52 -0400
Sender: owner-ipsec@ex.tis.com

> From: "Marcus Leech" <mleech@nortel.ca>
> 
> I've been thinking a fair amount about the question of, once we have
>   IPSEC, what kinds of access control (and other) policy may actually
>   be implemented by system administrators using IPSEC with ISAKMP.
> 
> The current implementations of ISKMP use X.509 certificates, which allow
>   the administrator to establish very broad policy, like:
> 
>   "I will establish an SA with any entitiy bearing a certificate signed by
>    my CA"
> 
>   "I will establish an SA with an entity named Marcus Leech, provided that
>    the certificate was signed by Nortel".
> 
> Both of these policy directives are implementable with the existing ISAKMP
>   assumptions about certificates.  Note, however, that in the second case,
>   if I want to produce (for example) a "group" policy, I must enumerate
>   the Distinguished Names of each member in the group, or I must establish
>   a group CA, and use the first type of policy statement mentioned above.
> 
> The work of the SPKI group allows for much richer policy enforcement than
>   is possible with an X.509 scheme.


This is certainly not true.  The evolving SPKI mechanism can allow a
richer set of authorizations than the two broad examples you specified
above.  But so does X.509.  The richness of expression (and the attendent
complexity) of an access control mechanism is determined by the capabilities
of the mechanism, not by a particular certificate encoding format.

A recent message by David Simonetti (in a non-IETF forum) listed seven
access control mechanisms currently being developed for a specific
(X.509-based, non-IETF) application, and proposed that they be
consolidated into four categories:

  "ISO 10181-3, Access Control Framework, provides the following
   classification  of access control mechanisms:  Cabability-based,
   Label-based, List-based, and Contextual-based."

The point of this quotation is not that the MISSI access control
framework or ISO 10181-3 are the be-all and end-all of "policy
administration".  The point is that characterizing X.509 certificates
based on the capabilities of current IPSEC/ISAKMP implementations is a
tad myopic, and ignores a large body of prior art.

Prev by Date: Re: IPSec MIB
Next by Date: ESP with stream ciphers
Prev by thread: Re: Effective policy enforcement
Next by thread: IPSec MIB
Index(es):
- Main
- Thread