Mapping Company Classification Policy to the S/MIME Security Label Weston Nicolls wnicolls@telenisus.com S/MIME Working Group Meeting December 13, 2000 Purpose • Informational RFC • Build on Security Label feature defined in ESS for S/MIME - RFC 2634 • Show how Security Label can used to implement an organizational security policy Telenisus Corporation 2 3rd Draft Classification Policies and Examples for: – Amoco Corporation • General, Confidential, Highly Confidential – Caterpillar Inc • Public, Confidential Green, Confidential Yellow, Confidential Red – Whirlpool Corporation • Public, Internal, Confidential Telenisus Corporation 3 3rd Draft Security Categories syntax and examples Attribute Owner Clearance examples Privacy Mark examples Telenisus Corporation 4 Security Category Syntax SecurityCategories ::= SET SIZE (1..ub-security-categories) OF SecurityCategory ub-security-categories INTEGER ::= 64 SecurityCategory ::= SEQUENCE { type [0] OBJECT IDENTIFIER value [1] ANY DEFINED BY type } -- defined by type Telenisus Corporation 5 Security Category Syntax One example of a SecurityCategory syntax is SecurityCategoryValues, as follows. When id-securityCategoryValues is present in the SecurityCategory type field, then the SecurityCategory value field could take the form of SecurityCategoryValues as follows: SecurityCategoryValues ::= SEQUENCE OF UTF8String Telenisus Corporation 6 Example ESSSecurityLabel: security-policy-identifier: id-tsp-3 security-classification: 9 privacy-mark: ATTORNEY-CLIENT PRIVILEGED INFORMATION security-categories: SEQUENCE OF SecurityCategory SecurityCategory #1 type: id-tsp-4 value: LAW DEPARTMENT USE ONLY Telenisus Corporation 7 Example Clearance Attribute (passes access control check): Clearance: policyId: id-tsp-3 classList BIT STRING: Bits 0, 1, 2, 9 are set to TRUE securityCategories: SEQUENCE OF SecurityCategory SecurityCategory #1 type: id-tsp-4 value: LAW DEPARTMENT USE ONLY Telenisus Corporation 8