1
0
mirror of https://github.com/moparisthebest/xeps synced 2024-11-21 16:55:07 -05:00
git-svn-id: file:///home/ksmith/gitmigration/svn/xmpp/trunk@2867 4b5297f7-1745-476d-ba37-a9c6900126ab
This commit is contained in:
Peter Saint-Andre 2009-03-10 21:50:59 +00:00
parent e979994657
commit 921f726091

View File

@ -7,14 +7,6 @@
<!ENTITY EQUIVALENTLABEL "&lt;equivalentlabel/&gt;">
<!ENTITY HEADLINE "&lt;headline/&gt;">
<!ENTITY IDENTITY "&lt;identity/&gt;">
<!ENTITY rfc2634 "<span class='ref'><link url='http://tools.ietf.org/html/rfc2634'>RFC 2634</link></span> <note>RFC 2634: Enhanced Security Services for S/MIME &lt;<link url='http://tools.ietf.org/html/rfc2634'>http://tools.ietf.org/html/rfc2634</link>&gt;.</note>" >
<!ENTITY ASN.1 "<span class='ref'><link url='http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf'>ASN.1</link></span> <note>X.680: Abstract Syntax Notation One (ASN.1): Specification of basic notation &lt;<link url='http:://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf'>http:://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf</link>&gt;.</note>" >
<!ENTITY BER "<span class='ref'><link url='http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf'>BER</link></span> <note>X.690: ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) &lt;<link url='http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf'>http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf</link>&gt;.</note>" >
<!ENTITY X.500 "<span class='ref'><link url='http://www.itu.int/rec/T-REC-X.500-200102-I/en'>X.500</link></span> <note>X.500: The Directory: Overview of concepts, models and service &lt;<link url='http://www.itu.int/rec/T-REC-X.500-200102-I/en'>http://www.itu.int/rec/T-REC-X.500-200102-I/en</link>&gt;.</note>" >
<!ENTITY X.841 "<span class='ref'><link url='http://www.itu.int/rec/T-REC-X.841-200010-I/en'>X.841</link></span> <note>X.841: Security techniques - Security information objects for access control &lt;<link url='http://www.itu.int/rec/T-REC-X.841-200010-I/en'>http://www.itu.int/rec/T-REC-X.841-200010-I/en</link>&gt;.</note>" >
<!ENTITY SDN.801c "<span class='ref'>SDN.801c</span> <note>SDN.801c: Access Control Concept and Mechanism, US National Security Agency, Revision C, 12 May 1999.</note>" >
<!ENTITY IC-ISM "<span class='ref'>IC-ISM</span> <note>Common Information Sharing Standard for Information Security Marking: XML Implementation, Office of the Director of National Intelligence,
Release 2.0.3, 15 February 2006.</note>" >
%ents;
]>
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
@ -33,7 +25,6 @@ Release 2.0.3, 15 February 2006.</note>" >
<dependencies>
<spec>XMPP Core</spec>
<spec>XEP-0001</spec>
<spec>Etc.</spec>
</dependencies>
<supersedes/>
<supersededby/>
@ -44,6 +35,12 @@ Release 2.0.3, 15 February 2006.</note>" >
<email>Kurt.Zeilenga@Isode.COM</email>
<jid>Kurt.Zeilenga@Isode.COM</jid>
</author>
<revision>
<version>0.2</version>
<date>2009-03-10</date>
<initials>kdz</initials>
<remark><p>Reworked discovery and various updates.</p></remark>
</revision>
<revision>
<version>0.1</version>
<date>2009-01-05</date>
@ -82,9 +79,10 @@ Release 2.0.3, 15 February 2006.</note>" >
<body>This content is classified.</body>
<securitylabel xmlns='urn:xmpp:sec-label:0'>
<displaymarking fgcolor='black' bgcolor='red'>SECRET</displaymarking>
<label><esssecuritylabel xmlns='urn:xmpp:sec-label:ess:0'
>MQYCAQIGASk=</esssecurityLabel></label>
</securityLabel>
<label><esssecuritylabel xmlns='urn:xmpp:sec-label:ess:0'>
MQYCAQQGASk=
</esssecuritylabel></label>
</securitylabel>
</message>
]]></example>
<example caption="Message with IC-ISM Label"><![CDATA[
@ -92,24 +90,26 @@ Release 2.0.3, 15 February 2006.</note>" >
<body>This content is classified.</body>
<securitylabel xmlns='urn:xmpp:sec-label:0'>
<displaymarking fgcolor='black' bgcolor='red'>SECRET</displaymarking>
<label><icismlabel xmlns='http://example.gov/IC-ISM/0'
classification='S' ownerProducer='USA' disseminationControls='FOUO'/></label>
</securityLabel>
<label><icismlabel xmlns='http://example.gov/IC-ISM/0' classification='S'
ownerProducer='USA' disseminationControls='FOUO'/></label>
</securitylabel>
</message>
]]></example>
<p>Note: The &IC-ISM; label example is for <em>illustrative purposes only</em>.</p>
<p>The document details when security label metadata should or should not be provided, and how
this metadata is to be processed.</p>
<p>This document does <em>not</em> (yet?) provide:
<p>This document does <em>not</em> provide:
<ul>
<li>any mechanism for a client might discover the security policy enforce at its home server,
or any other server;</li>
<li>any mechanism for a client might discover the security policy
enforce at its home server, or any other server;</li>
<li>any mechanism for a client to discover the user's clearance,
or the clearance of associated with any resource; nor</li>
<li>any administrative mechanism for a client to configure configure policy,
clearance, and labels of any resource.</li>
<li>any administrative mechanism for a client to configure
configure policy, clearance, and labels of any resource.</li>
</ul>
Such mechanisms may be introduced in subsequent documents.</p>
</section1>
@ -161,14 +161,14 @@ Release 2.0.3, 15 February 2006.</note>" >
<securitylabel xmlns='urn:xmpp:sec-label:0'>
<displaymarking fgcolor='black' bgcolor='red'>SECRET</displaymarking>
<label>
<esssecuritylabel xmlns='urn:xmpp:sec-label:0'
<esssecuritylabel xmlns='urn:xmpp:sec-label:ess:0'
>MQYCAQIGASk=</esssecuritylabel>
</label>
<equivalentlabel>
<esssecuritylabel xmlns='urn:xmpp:sec-label:0'
>MRACAgEABgIpARMGT3Jhbmdl</esssecuritylabel>
<esssecuritylabel xmlns='urn:xmpp:sec-label:ess:0'
>MRUCAgD9DA9BcXVhIChvYnNvbGV0ZSk=</esssecuritylabel>
</equivalentlabel>
</securityLabel>
</securitylabel>
</message>
]]></example>
<p>The security label metadata is carried in an &SECURITYLABEL; element.
@ -193,21 +193,28 @@ Release 2.0.3, 15 February 2006.</note>" >
colorizing the display marking.</p>
</section1>
<section1 topic='Label Information Discovery' anchor='label-disco'>
<p>It is RECOMMENDED the server publish security label information, including a
catalog of labels, for use by clients.</p>
<p>The catalog provided should only contain labels for which the client is allowed to use
(based upon the user's authorization). The catalog may not be include the complete
set of labels available for the use by the client.</p>
<p>As each service domain may have different support for security labels, servers
should advertise and clients should perform appropriate discovery lookups on a
per service basis.</p>
<p>To indicate the support for label information discovery, a server advertises the
<tt>urn:xmpp:sec-label:info:0</tt> feature.</p>
<example caption="Label Information Feature Discovery request"><![CDATA[
<section1 topic='Label Catalog Discovery' anchor='label-catalog'>
<p>It is RECOMMENDED the server publish a catalogs of security label
for use by clients.</p>
<p>Each catalog provided should only contain labels for which the client
is allowed to use (based upon the user's authorization) in a particular
context (such as in chatroom). A catalog may not be include the
complete set of labels available for the use by the client in the
context.</p>
<blockquote>Note: the single catalog per context approach used here
is likely inadequate in enviroments where there are a large number
of labels in use. It is expected that a more sophisticated approach
will be introduced in a subsequent revision of this
specification.</blockquote>
<p>As each service domain may have different support for security labels,
servers should advertise and clients should perform appropriate
discovery lookups on a per service basis.</p>
<p>To indicate the support for label catalog discovery, a server
advertises the <tt>urn:xmpp:sec-label:catalog:0</tt> feature.
The following pair of examples illustrates this feature discovery.</p>
<example caption="Label Catalog Feature Discovery request"><![CDATA[
<iq type='get'
from='user@example.com/Work'
to='example.com'
id='disco1'>
<query xmlns='http://jabber.org/protocol/disco#info'/>
</iq>
@ -219,65 +226,56 @@ Release 2.0.3, 15 February 2006.</note>" >
id='disco1'>
<query xmlns='http://jabber.org/protocol/disco#info'>
...
<feature var='urn:xmpp:sec-label:0'/>
<feature var='urn:xmpp:sec-label:info:0'/>
<feature var='urn:xmpp:sec-label:catalog:0'/>
...
</query>
</iq>
]]></example>
<p>The following example illustrates catalog discovery.</p>
<p>The following example pair illustrates catalog discovery.</p>
<!-- Hierarchy of labels? -->
<example caption="Label Information request"><![CDATA[
<iq type='get'
from='user@example.com/Work'
to='example.com'
id='catalog1'>
<query xmlns='urn:xmpp:sec-label:info:0'/>
<example caption="Label Catalog request"><![CDATA[
<iq type='get' id='cat1'>
<catalog xmlns='urn:xmpp:sec-label:catalog:0' to='example.com'/>
</iq>
]]></example>
<example caption="Label Information response"><![CDATA[
<iq type='result'
from='example.com'
to='user@example.com/Work'
id='catalog1'>
<query xmlns='urn:xmpp:sec-label:info:0'>
<labelcatalog>
<example caption="Label Catalog Get response"><![CDATA[
<iq type='result' to='user@example.com/Work' id='cat1'>
<catalog xmlns='urn:xmpp:sec-label:catalog:0'
to='example.com' name='Default'
desc='an example set of labels'/>
<securitylabel xmlns='urn:xmpp:sec-label:0'>
<displaymarking fgcolor='black' bgcolor='red'>SECRET</displaymarking>
<label>
<esssecuritylabel xmlns='urn:xmpp:sec-label:0'
<esssecuritylabel xmlns='urn:xmpp:sec-label:ess:0'
>MQYCAQQGASk=</esssecuritylabel>
</label>
</securityLabel>
</securitylabel>
<securitylabel xmlns='urn:xmpp:sec-label:0'>
<displaymarking fgcolor='black' bgcolor='navy'>CONFIDENTIAL</displaymarking>
<label>
<esssecuritylabel xmlns='urn:xmpp:sec-label:0'
>MQYCAQMGASk=</esssecuritylabel>
<esssecuritylabel xmlns='urn:xmpp:sec-label:ess:0'
>MQYCAQMGASk</esssecuritylabel>
</label>
</securityLabel>
</securitylabel>
<securitylabel xmlns='urn:xmpp:sec-label:0'>
<displaymarking fgcolor='black' bgcolor='aqua'>RESTRICTED</displaymarking>
<label>
<esssecuritylabel xmlns='urn:xmpp:sec-label:0'
<esssecuritylabel xmlns='urn:xmpp:sec-label:ess:0'
>MQYCAQIGASk=</esssecuritylabel>
</label>
</securityLabel>
</securitylabel>
<securitylabel xmlns='urn:xmpp:sec-label:0'>
<displaymarking fgcolor='black' bgcolor='green'>UNCLASSIFIED</displaymarking>
<label>
<esssecuritylabel xmlns='urn:xmpp:sec-label:0'
<esssecuritylabel xmlns='urn:xmpp:sec-label:ess:0'
>MQMGASk=</esssecuritylabel>
</label>
</securityLabel>
</labelcatalog>
</query>
</securitylabel>
</catalog>
</iq>
]]></example>
<p>The label information may contain other elements.</p>
</section1>
<section1 topic='Use in XMPP' anchor='xmpp-use'>
@ -508,9 +506,9 @@ And by opposing end them?
<securitylabel xmlns='urn:xmpp:sec-label:0'>
<displaymarking fgcolor='black' bgcolor='green'>UNCLASSIFIED</displaymarking>
<label>
<esssecuritylabel xmlns='urn:xmpp:sec-label:0'>MQMGASk=</esssecuritylabel>
<esssecuritylabel xmlns='urn:xmpp:sec-label:ess:0'>MQMGASk=</esssecuritylabel>
</label>
</securityLabel>
</securitylabel>
</item>
</publish>
</pubsub>
@ -540,9 +538,9 @@ And by opposing end them?
<securitylabel xmlns='urn:xmpp:sec-label:0'>
<displaymarking fgcolor='black' bgcolor='green'>UNCLASSIFIED</displaymarking>
<label>
<esssecuritylabel xmlns='urn:xmpp:sec-label:0'>MQMGASk=</esssecuritylabel>
<esssecuritylabel xmlns='urn:xmpp:sec-label:ess:0'>MQMGASk=</esssecuritylabel>
</label>
</securityLabel>
</securitylabel>
</item>
</items>
</event>
@ -552,6 +550,14 @@ And by opposing end them?
</section2>
</section1>
<section1 topic='Extension Considerations' anchor='exts'>
<p>
This extension is itself is extensible. In particular, the &LABEL; and &EQUIVALENTLABEL;
elements are designed to hold a range of security labels formats. XML namespaces SHOULD
be used to avoid name clashes.
</p>
</section1>
<!--
<section1 topic='Implementation Notes' anchor='impl'>
<p>OPTIONAL.</p>
@ -572,109 +578,208 @@ And by opposing end them?
<p>This document requires no interaction with &IANA;.</p>
</section1>
<section1 topic='XMPP Registrar Considerations' anchor='registrar'>
<p>It is requested the &REGISTRAR; add the extension's namespace and schema to
appropriate XMPP registries.</p>
<p>It is requested the Registrar maintain a registry of label types. The
type string "<tt>ESS</tt>" is reserved for use as described in this document.</p>
<p>It is requested the &REGISTRAR; add the extension's namespaces
and schemas to appropriate XMPP registries.</p>
</section1>
<section1 topic='XML Schemas' anchor='schema'>
<section2 topic='&lt;securitylabel/&gt; schema' anchor='schema-sl'>
<section2 topic='Extension Schema' anchor='schema-sl'>
<p>
<code><![CDATA[
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='urn:xmpp:sec-label:0'
xmlns='urn:xmpp:sec-label:0'
elementFormDefault='qualified'>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="urn:xmpp:sec-label:0"
xmlns="urn:xmpp:sec-label:0" elementFormDefault="qualified">
<xs:annotation>
<xs:documentation>
The protocol documented by this schema is defined in XEP-XXXX:
http://www.xmpp.org/extensions/xep-XXXX.html
</xs:documentation>
<xs:documentation>The protocol documented by this schema is defined in XEP-0258:
http://www.xmpp.org/extensions/xep-0258.html</xs:documentation>
</xs:annotation>
<xs:element name='securitylabel'>
<xs:simpleType name="colorCSS">
<xs:annotation>
<xs:documentation>CSS colors (W3C colors + "orange")</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:enumeration value="aqua"/>
<xs:enumeration value="black"/>
<xs:enumeration value="blue"/>
<xs:enumeration value="fuschia"/>
<xs:enumeration value="gray"/>
<xs:enumeration value="green"/>
<xs:enumeration value="lime"/>
<xs:enumeration value="maroon"/>
<xs:enumeration value="navy"/>
<xs:enumeration value="olive"/>
<xs:enumeration value="purple"/>
<xs:enumeration value="red"/>
<xs:enumeration value="silver"/>
<xs:enumeration value="teal"/>
<xs:enumeration value="white"/>
<xs:enumeration value="yellow"/>
<xs:enumeration value="orange"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="colorRGB">
<xs:annotation>
<xs:documentation>Hex encoded RGB</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern value="#[0-9A-Fa-f]{6}"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="color">
<xs:annotation>
<xs:documentation>Color</xs:documentation>
</xs:annotation>
<xs:union memberTypes="colorCSS colorRGB"/>
</xs:simpleType>
<xs:complexType name="displaymarking">
<xs:annotation>
<xs:documentation>Display Marking</xs:documentation>
<xs:documentation>String to be prominently displayed along with labeled
object.</xs:documentation>
</xs:annotation>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="bgcolor" type="color" use="optional" default="white"/>
<xs:attribute name="fgcolor" type="color" use="optional" default="black"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="label">
<xs:choice minOccurs="0">
<xs:any namespace="##other" processContents="lax"/>
</xs:choice>
</xs:complexType>
<xs:element name="securitylabel">
<xs:annotation>
<xs:documentation>A Security Label</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element ref='displaymarking' name='displaymarking'/>
<xs:element ref='label' type='label'/>
<xs:element ref='equivalentlabel' type='label'
minOccurs='0' maxOccurs='unbounded'/>
<xs:element name="displaymarking" type="displaymarking">
<xs:annotation>
<xs:documentation>A Display Marking</xs:documentation>
<xs:documentation>To be prominently displayed</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="label" type="label">
<xs:annotation>
<xs:documentation>The Primary Label</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="equivalentlabel" type="label" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>An Equivalent Label</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:complexType>
</xs:complexType>
</xs:element>
<xs:element name='displaymarking' type='xs:string'>
<xs:attribute name='bgcolor' type='xs:string' use='optional'/>
<xs:attribute name='fgcolor' type='xs:string' use='optional'/>
</xs:element>
<xs:complexType name='label'/>
</xs:schema>
]]></code>
A copy of this schema is available at
<link url='http://www.xmpp.org/schemas/sec-label.xsd'>
http://www.xmpp.org/schemas/sec-label.xsd</link>.
</p>
</section2>
<section2 topic='&lt;catalog/&gt; schema' anchor='schema-catalog'>
<p>
<code><![CDATA[
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:sl="urn:xmpp:sec-label:0"
xmlns="urn:xmpp:sec-label:catalog:0" targetNamespace="urn:xmpp:sec-label:catalog:0"
elementFormDefault="qualified">
<xs:annotation>
<xs:documentation>The protocol documented by this schema is defined in XEP-0258:
http://www.xmpp.org/extensions/xep-0258.html</xs:documentation>
</xs:annotation>
<xs:import schemaLocation="xep258.xsd" namespace="urn:xmpp:sec-label:0"/>
<xs:attribute name="to" type="xs:string">
<xs:annotation>
<xs:documentation>Target JabberId</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="name" type="xs:string">
<xs:annotation>
<xs:documentation>Name</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="desc" type="xs:string">
<xs:annotation>
<xs:documentation>Description</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="id" type="xs:string">
<xs:annotation>
<xs:documentation>Identifer for current revision, commonly a hash</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="size" type="xs:integer">
<xs:annotation>
<xs:documentation>Number of items</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:element name="catalog">
<xs:annotation>
<xs:documentation>A Catalog of Labels</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element ref="sl:securitylabel" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute ref="to" use="optional"/>
<xs:attribute ref="name" use="optional"/>
<xs:attribute ref="desc" use="optional"/>
<xs:attribute ref="id" use="optional"/>
<xs:attribute ref="size" use="optional"/>
</xs:complexType>
</xs:element>
</xs:schema>
]]></code>
A copy of this schema is available at
<link url='http://www.xmpp.org/schemas/sec-label-catalog.xsd'>
http://www.xmpp.org/schemas/sec-label-catalog.xsd</link>.
</p>
</section2>
<section2 topic='&lt;esssecuritylabel/&gt; schema' anchor='schema-ess'>
<p>
<code><![CDATA[
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='urn:xmpp:sec-label:ess:0'
xmlns='urn:xmpp:sec-label:ess:0'
elementFormDefault='qualified'>
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="urn:xmpp:sec-label:ess:0"
xmlns="urn:xmpp:sec-label:ess:0" elementFormDefault="qualified">
<xs:annotation>
<xs:documentation>
The protocol documented by this schema is defined in XEP-XXXX:
http://www.xmpp.org/extensions/xep-XXXX.html
</xs:documentation>
<xs:documentation> The protocol documented by this schema is defined in XEP-0258:
http://www.xmpp.org/extensions/xep-0258.html </xs:documentation>
</xs:annotation>
<xs:element name='esssecuritylabel' type=xs:string'/>
<xs:element name="esssecuritylabel" type="xs:base64Binary">
<xs:annotation>
<xs:documentation>An S/MIME ESS SecurityLabel [RFC2634]</xs:documentation>
<xs:documentation>Value is the base64 encoding of the BER/DER encoding of an ASN.1
ESSSecurityLabel type as defined in RFC 2634. </xs:documentation>
</xs:annotation>
</xs:element>
</xs:schema>
]]></code>
</p>
</section2>
<section2 topic='Label Information schema' anchor='schema-info'>
<p>
<code><![CDATA[
<?xml version='1.0' encoding='UTF-8'?>
<xs:schema
xmlns:xs='http://www.w3.org/2001/XMLSchema'
targetNamespace='urn:xmpp:sec-label:info:0'
xmlns='urn:xmpp:sec-label:info:0'
elementFormDefault='qualified'>
<xs:annotation>
<xs:documentation>
The protocol documented by this schema is defined in XEP-XXXX:
http://www.xmpp.org/extensions/xep-XXXX.html
</xs:documentation>
</xs:annotation>
<xs:element name='query'>
<xs:complexType>
<xs:sequence>
<xs:element ref='labelcatalog' name='labelcatalog'
minOccurs='0' maxOccurs='1'/>
<!-- additional elements here -->
<xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name='labelcatalog'>
<xs:complexType>
<xs:element ref='securitylabel' type='securitylabel'
minOccurs='1' maxOccurs='unbounded'/>
</xs:complexType>
</xs:element>
<xs:complexType name='securitylabel'/>
</xs:schema>
]]></code>
A copy of this schema is available at
<link url='http://www.xmpp.org/schemas/sec-label-ess.xsd'>
http://www.xmpp.org/schemas/sec-label-ess.xsd</link>.
</p>
</section2>
</section1>