John
I don't believe this iis an off-line subject. As I recall we agreed to defer discussion of "Bypass" to an off-line topic. The topic we are discussing concerns what constitutes high assurance. I am simply pointing out that the "COMPUSEC" policy you were referring to was an access control policy and that the specifics of a given policy have nothing to do with the definition of what is or isn't high assurance. Assurance has to do with the strength or rubustness of the measures used to enforce any given set of security policies. As a practical matter, the security policy does have bearing because unless the assets being protected are considered valuable (either intrinsically or otherwise) it is unlikely that the related security policies will be very strong nor will it be considered as cost-effective to invest in measures that would provide high assurance. Another aspect of high assurance is that whatever is being certified/evaluated will almost certainly involve one or more independent evaluation groups as part of the process. I'd be interested in other's views on this topic. Thanks John F. ________________________________ From: Davidson, John A. [[email protected]] Sent: Tuesday, May 24, 2011 1:44 PM To: [email protected] Subject: Re: [cicm] BoF Request for CICM at IETF 81 John, That involves that thing we agree to disagree on. Lets please take that continuing discussion off line. Thanks, John ----- Original Message ----- From: [email protected] <[email protected]> To: CICM Discussion List <[email protected]> Sent: Mon May 23 17:52:45 2011 Subject: Re: [cicm] BoF Request for CICM at IETF 81 John, I don't believe that was quite true. I believe you are interpreting Bell-LaPadua as an overall security policy, when in fact is was strictly an access control policy as were most COMPUSEC policies. The US Government's classification system is in fact part of an access control policy. High Assurance is achieved when it can be shown that the security policy for a platform is rigorously enforced by the security mechanisms...regardless what that security policy may be. Even the access control policy which says "no flow down" can be "bent" in real world situations when the situation demands. Things are never just black and white (or perhaps I should say black and red). ________________________________ From: Davidson, John A. [[email protected]] Sent: Monday, May 23, 2011 10:06 AM To: [email protected] Subject: Re: [cicm] BoF Request for CICM at IETF 81 The conventional COMPUSEC view of high assurance was that - it was indicated where the Policy had to be enforced for certain (mandatory) e.g. no flow down tolerated. ----- Original Message ----- From: [email protected] <[email protected]> To: CICM Discussion List <[email protected]> Sent: Mon May 23 05:27:45 2011 Subject: Re: [cicm] BoF Request for CICM at IETF 81 Richard, On 2011-05-22 at 06:36, Richard Graveman wrote: > It seems to me that high assurance may well be needed in cases with > only one domain. Is that out of scope? Single domain use cases are definitely in scope; but they are very similar (conceptually) to existing commercial crypto APIs. The ability to separate domains is what sets CICM apart. See: "2.3. Single Security Domain" in CICM Logical Model http://tools.ietf.org/html/draft-lanz-cicm-lm-00#section-2.3 "18. Single-Domain" in CICM Channel Management http://tools.ietf.org/html/draft-lanz-cicm-cm-00#section-18 Lev _______________________________________________ cicm mailing list [email protected] https://www.ietf.org/mailman/listinfo/cicm _______________________________________________ cicm mailing list [email protected] https://www.ietf.org/mailman/listinfo/cicm _______________________________________________ cicm mailing list [email protected] https://www.ietf.org/mailman/listinfo/cicm
