From 921f7260914c826ba0b28c986566e9c6dedba159 Mon Sep 17 00:00:00 2001
From: Peter Saint-Andre
Date: Tue, 10 Mar 2009 21:50:59 +0000
Subject: [PATCH] 0.2
git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@2867 4b5297f7-1745-476d-ba37-a9c6900126ab
---
xep-0258.xml | 459 +++++++++++++++++++++++++++++++--------------------
1 file changed, 282 insertions(+), 177 deletions(-)
diff --git a/xep-0258.xml b/xep-0258.xml
index 18ddb54c..810a0b74 100644
--- a/xep-0258.xml
+++ b/xep-0258.xml
@@ -7,14 +7,6 @@
- RFC 2634 RFC 2634: Enhanced Security Services for S/MIME <http://tools.ietf.org/html/rfc2634>." >
- ASN.1 X.680: Abstract Syntax Notation One (ASN.1): Specification of basic notation <http:://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf>." >
- BER X.690: ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) <http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf>." >
- X.500 X.500: The Directory: Overview of concepts, models and service <http://www.itu.int/rec/T-REC-X.500-200102-I/en>." >
- X.841 X.841: Security techniques - Security information objects for access control <http://www.itu.int/rec/T-REC-X.841-200010-I/en>." >
- SDN.801c SDN.801c: Access Control Concept and Mechanism, US National Security Agency, Revision C, 12 May 1999." >
- IC-ISM Common Information Sharing Standard for Information Security Marking: XML Implementation, Office of the Director of National Intelligence,
-Release 2.0.3, 15 February 2006." >
%ents;
]>
@@ -33,7 +25,6 @@ Release 2.0.3, 15 February 2006." >
XMPP CoreXEP-0001
- Etc.
@@ -44,6 +35,12 @@ Release 2.0.3, 15 February 2006." >
Kurt.Zeilenga@Isode.COMKurt.Zeilenga@Isode.COM
+
+ 0.2
+ 2009-03-10
+ kdz
+
Reworked discovery and various updates.
+ 0.12009-01-05
@@ -78,39 +75,42 @@ Release 2.0.3, 15 February 2006." >
commonly used in conjunction with &X.500; clearances and either X.841 or &SDN.801c;
security policies.
- This content is classified.
-
- SECRET
-
-
-
+
+ This content is classified.
+
+ SECRET
+
+
+
]]>
- This content is classified.
-
- SECRET
-
-
-
+
+ This content is classified.
+
+ SECRET
+
+
+
]]>
Note: The &IC-ISM; label example is for illustrative purposes only.
The document details when security label metadata should or should not be provided, and how
this metadata is to be processed.
-
This document does not (yet?) provide:
+
+
This document does not provide:
-
any mechanism for a client might discover the security policy enforce at its home server,
- or any other server;
+
any mechanism for a client might discover the security policy
+ enforce at its home server, or any other server;
any mechanism for a client to discover the user's clearance,
or the clearance of associated with any resource; nor
-
any administrative mechanism for a client to configure configure policy,
- clearance, and labels of any resource.
+
any administrative mechanism for a client to configure
+ configure policy, clearance, and labels of any resource.
- Such mechanisms may be introduced in subsequent documents.
+
+ Such mechanisms may be introduced in subsequent documents.
@@ -156,20 +156,20 @@ Release 2.0.3, 15 February 2006." >
includes a security label, zero or more equivalent security labels, and optionally display
marking data.
- This content is classified.
-
- SECRET
-
-
- MRACAgEABgIpARMGT3Jhbmdl
-
-
-
+
+ This content is classified.
+
+ SECRET
+
+
+ MRUCAgD9DA9BcXVhIChvYnNvbGV0ZSk=
+
+
+
]]>
The security label metadata is carried in an &SECURITYLABEL; element.
The &SECURITYLABEL; element which contains one and only one &LABEL; element,
@@ -193,21 +193,28 @@ Release 2.0.3, 15 February 2006." >
colorizing the display marking.
-
-
It is RECOMMENDED the server publish security label information, including a
- catalog of labels, for use by clients.
-
The catalog provided should only contain labels for which the client is allowed to use
- (based upon the user's authorization). The catalog may not be include the complete
- set of labels available for the use by the client.
-
As each service domain may have different support for security labels, servers
- should advertise and clients should perform appropriate discovery lookups on a
- per service basis.
-
To indicate the support for label information discovery, a server advertises the
- urn:xmpp:sec-label:info:0 feature.
-
+
It is RECOMMENDED the server publish a catalogs of security label
+ for use by clients.
+
Each catalog provided should only contain labels for which the client
+ is allowed to use (based upon the user's authorization) in a particular
+ context (such as in chatroom). A catalog may not be include the
+ complete set of labels available for the use by the client in the
+ context.
+
Note: the single catalog per context approach used here
+ is likely inadequate in enviroments where there are a large number
+ of labels in use. It is expected that a more sophisticated approach
+ will be introduced in a subsequent revision of this
+ specification.
+
As each service domain may have different support for security labels,
+ servers should advertise and clients should perform appropriate
+ discovery lookups on a per service basis.
+
To indicate the support for label catalog discovery, a server
+ advertises the urn:xmpp:sec-label:catalog:0 feature.
+ The following pair of examples illustrates this feature discovery.
@@ -508,9 +506,9 @@ And by opposing end them?
UNCLASSIFIED
-
+
@@ -540,9 +538,9 @@ And by opposing end them?
UNCLASSIFIED
-
+
@@ -552,6 +550,14 @@ And by opposing end them?
+
+
+ This extension is itself is extensible. In particular, the &LABEL; and &EQUIVALENTLABEL;
+ elements are designed to hold a range of security labels formats. XML namespaces SHOULD
+ be used to avoid name clashes.
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
- ]]>
+ A copy of this schema is available at
+
+ http://www.xmpp.org/schemas/sec-label-ess.xsd.