Mapping Company Classification Policy to the

S/MIME Security Label

Weston Nicolls

wnicolls@telenisus.com

S/MIME Working Group MeetingDecember 13, 2000

Telenisus Corporation 2

Purpose

• Informational RFC

• Build on Security Label feature defined in ESS for S/MIME - RFC 2634

• Show how Security Label can used to implement an organizational security policy

Telenisus Corporation 3

3rd Draft

Classification Policies and Examples for:– Amoco Corporation

• General, Confidential, Highly Confidential

– Caterpillar Inc• Public, Confidential Green, Confidential Yellow,

Confidential Red

– Whirlpool Corporation• Public, Internal, Confidential

Telenisus Corporation 4

3rd Draft

Security Categories syntax and examples

Attribute Owner Clearance examples

Privacy Mark examples

Telenisus Corporation 5

Security Category Syntax

SecurityCategories ::= SET SIZE (1..ub-security-categories) OF SecurityCategory

ub-security-categories INTEGER ::= 64

SecurityCategory ::= SEQUENCE {

type [0] OBJECT IDENTIFIER

value [1] ANY DEFINED BY type }

-- defined by type

Telenisus Corporation 6

Security Category SyntaxOne example of a SecurityCategory syntax is

SecurityCategoryValues, as follows. When id-securityCategoryValues is present in

the SecurityCategory type field, then the SecurityCategory value field could take the form of

SecurityCategoryValues as follows:SecurityCategoryValues ::= SEQUENCE OF

UTF8String

Telenisus Corporation 7

Example ESSSecurityLabel:

security-policy-identifier: id-tsp-3security-classification: 9privacy-mark: ATTORNEY-CLIENT PRIVILEGED INFORMATION security-categories: SEQUENCE OF SecurityCategory

SecurityCategory #1 type: id-tsp-4 value: LAW DEPARTMENT USE ONLY

Telenisus Corporation 8

Example Clearance Attribute

(passes access control check):Clearance:

policyId: id-tsp-3classList BIT STRING: Bits 0, 1, 2, 9 are set to TRUEsecurityCategories: SEQUENCE OF SecurityCategory

SecurityCategory #1 type: id-tsp-4 value: LAW DEPARTMENT USE ONLY