rfc3114.txt

来自「RFC 的详细文档！」· 文本 代码 · 共 788 行 · 第 1/2 页

Network Working Group                                         W. Nicolls
Request for Comments: 3114                            Forsythe Solutions
Category: Informational                                         May 2002


              Implementing Company Classification Policy
                     with the S/MIME Security Label

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

   This document discusses how company security policy for data
   classification can be mapped to the S/MIME security label.  Actual
   policies from three companies provide worked examples.

1. Introduction

   Security labels are an optional security service for S/MIME.  A
   security label is a set of security information regarding the
   sensitivity of the content that is protected by S/MIME encapsulation.
   A security label can be included in the signed attributes of any
   SignedData object.  A security label attribute may be included in
   either the inner signature, outer signature, or both.  The syntax and
   processing rules for security labels are described in RFC 2634 [ESS].

   The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT',
   'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this
   document are to be interpreted as described in RFC 2119 [MUSTSHOULD].

1.1 Information Classification Policies

   Information is an asset, but not all information has the same value
   for a business.  Not all information needs to be protected as
   strongly as other information.

   Research and development plans, marketing strategies and
   manufacturing quality specifications developed and used by a company
   provide competitive advantage.  This type of information needs




Nicolls                      Informational                      [Page 1]

RFC 3114       Implementing Company Classification Policy       May 2002


   stronger protective measures than other information, which if
   disclosed or modified, would cause moderate to severe damage to the
   company.

   Other types of information such as internal organization charts,
   employee lists and policies may need little or no protective measures
   based on value the organization places on it.

   A corporate information classification policy defines how its
   information assets are to be protected.  It provides guidance to
   employees on how to classify information assets.  It defines how to
   label and protect an asset based on its classification and state
   (e.g., facsimile, electronic transfer, storage, shipping, etc.).

1.2 Access Control and Security Labels

   "Access control" is a means of enforcing authorizations.  There are a
   variety of access control methods that are based on different types
   of policies and rely on different security mechanisms.

   - Rule based access control is based on policies that can be
     algorithmically expressed.

   - Identity based access control is based on a policy which applies
     explicitly to an individual person or host entity, or to a defined
     group of such entities.  Once identity has been authenticated, if
     the identity is verified to be on the access list, then access is
     granted.

   - Rank base access control is based on a policy of hierarchical
     positions in an organization.  It is based on who you are in the
     company structure.  A rank-based policy would define what
     information that the position of Partner or Senior Consultant could
     access.

   - Role based access control is based on a policy of roles in an
     organization.  It may or may not be hierarchical.  It is based on
     who you are in the company.  The role-based policy would define
     what information that the role of Database Administrator, Network
     Administrator, Mailroom Clerk or Purchaser could access.

   Rule, rank and role-based access control methods can rely on a
   security label as the security mechanism to convey the sensitivity or
   classification of the information.  When processing an S/MIME
   encapsulated message, the sensitivity information in the message's
   security label can be compared with the recipient's authorizations to
   determine if the recipient is allowed to access the protected
   content.



Nicolls                      Informational                      [Page 2]

RFC 3114       Implementing Company Classification Policy       May 2002


   An S/MIME security label may be included as a signed attribute in the
   inner (or only) signature or the outer signature.  In the case of a
   triple-wrapped message as defined in RFC 2634, the inner signature
   would be used for access control decisions related to the plaintext
   original content, while the outer signature would be used for access
   control decisions related to the encrypted message.

1.3 User Authorizations

   Users need to be granted authorizations to access information that
   has been classified by an authority.  The sending and receiving
   agents need to be able to securely determine the user's
   authorizations for access control processing.

   X.509 [X.509] and the Internet profile for X.509 certificates
   [CERTCRL] do not define the means to represent and convey
   authorizations in a certificate.

   X.501 [X.501] defines how to represent authorization in the form of a
   clearance attribute.  The clearance attribute identifies the security
   policy in force to which a list of possible classifications and
   security categories relates.

   X.501 also notes two means for binding the clearance to a named
   entity: an Attribute Certificate and a Certificate extension field
   (e.g., within the subjectDirectoryAttribute extension).

   RFC 3281 [AC509] defines a profile of X.509 Attribute Certificate
   (AC) suitable for use with authorization information within Internet
   Protocols.  One of the defined attributes is Clearance, which carries
   clearance (security labeling) information about the AC owner.  The
   syntax for Clearance is imported from X.501.

2. Developed Examples

2.1 Classification Policies

   The following describes the information classification policies in
   effect at 3 companies.

2.1.1 Amoco Corporation

   The description for the Amoco information classification policy was
   taken from the Amoco Computer Security Guidelines.  Amoco classifies
   its information assets based on confidentiality and integrity and
   defines 3 hierarchical classifications for each.  The confidentiality





Nicolls                      Informational                      [Page 3]

RFC 3114       Implementing Company Classification Policy       May 2002


   and integrity polices are independent, so either or both may be
   applied to the information.  Amoco also defines an availability
   classification for time critical information.

   HIGHLY CONFIDENTIAL - Information whose unauthorized disclosure will
   cause the company severe financial, legal or reputation damage.
   Examples: Certain acquisitions, bid economics, negotiation
   strategies.

   CONFIDENTIAL - Information whose unauthorized disclosure may cause
   the company financial, legal, or reputation damage.  Examples:
   Employee Personnel & Payroll Files, some interpreted Exploration
   Data.

   GENERAL - Information that, because of its personal, technical, or
   business sensitivity is restricted for use within the company.
   Unless otherwise classified, all information within Amoco is in this
   category.

   MAXIMUM - Information whose unauthorized modification and destruction
   will cause the company severe financial, legal, or reputation damage.

   MEDIUM - Information whose unauthorized modification and destruction
   may cause the company financial, legal, or reputation damage.
   Examples: Electronic Funds, Transfer, Payroll, and Commercial Checks.

   MINIMUM - Although an error in this data would be of minimal
   consequence, this is still important company information and
   therefore will require some minimal controls to ensure a minimal
   level of assurance that the integrity of the data is maintained.
   This applies to all data that is not placed in one of the above
   classifications.  Examples: Lease Production Data, Expense Data,
   Financial Data, and Exploration Data.

   CRITICAL - It is important to assess the availability requirements of
   data, applications and systems.  A business decision will be required
   to determine the length of unavailability that can be tolerated prior
   to expending additional resources to ensure the information
   availability that is required.  Information should be labeled
   "CRITICAL" if it is determined that special procedures should be used
   to ensure its availability.

2.1.2 Caterpillar, Inc.

   The description for the Caterpillar information classification policy
   is taken from the Caterpillar Information Protection Guidelines.
   Caterpillar classifies its information assets based on
   confidentiality and defines 4 hierarchical classifications.



Nicolls                      Informational                      [Page 4]

RFC 3114       Implementing Company Classification Policy       May 2002


   Caterpillar Confidential Red - Provides a significant competitive
   advantage.  Disclosure would cause severe damage to operations.
   Relates to or describes a long-term strategy or critical business
   plans.  Disclosure would cause regulatory or contractual liability.
   Disclosure would cause severe damage to our reputation or the public
   image.  Disclosure would cause a severe loss of market share or the
   ability to be first to market.  Disclosure would cause a loss of an
   important customer, shareholder, or business partner.  Disclosure
   would cause a long-term or severe drop in stock value.  Strong
   likelihood somebody is seeking to acquire this information.

   Caterpillar Confidential Yellow - Provides a competitive advantage.
   Disclosure could cause moderate damage to the company or an
   individual.  Relates to or describes an important part of the
   operational direction of the company over time.  Important technical
   or financial aspects of a product line or a business unit.
   Disclosure could cause a loss of Customer or Shareholder confidence.
   Disclosure could cause a temporary drop in stock value.  A likelihood
   that somebody could seek to acquire this information.

   Caterpillar Confidential Green - Might provide a business advantage
   over those who do not have access to the same information.  Might be
   useful to a competitor.  Not easily identifiable by inspection of a
   product.  Not generally known outside the company or available from
   public sources.  Generally available internally.  Little competitive
   interest.

   Caterpillar Public - Would not provide a business or competitive
   advantage.  Routinely made available to interested members of the
   General Public.  Little or no competitive interest.

2.1.3 Whirlpool Corporation

   The description for the Whirlpool information classification policy
   is taken from the Whirlpool Information Protection Policy.  Whirlpool
   classifies its information assets based on confidentiality and
   defines 3 hierarchical classifications.  The policy states that:

   "All information generated by or for Whirlpool, in whatever form,
   written, verbal, or electronic, is to be treated as WHIRLPOOL
   INTERNAL or WHIRLPOOL CONFIDENTIAL.  Classification of information in
   either category depends on its value, the impact of unauthorized
   disclosure, legal requirements, and the manner in which it needs to
   be used by the company.  Some WHIRLPOOL INTERNAL information may be
   authorized for public release."






Nicolls                      Informational                      [Page 5]

RFC 3114       Implementing Company Classification Policy       May 2002


   WHIRLPOOL CONFIDENTIAL - A subset of Whirlpool Internal information,
   the unauthorized disclosure or compromise of which would likely have
   an adverse impact on the company's competitive position, tarnish its
   reputation, or embarrass an individual.  Examples: Customer,
   financial, pricing, or personnel data; merger/acquisition, product,
   or marketing plans; new product designs, proprietary processes and
   systems.

   WHIRLPOOL INTERNAL - All forms of proprietary information originated
   or owned by Whirlpool, or entrusted to it by others.  Examples:
   Organization charts, policies, procedures, phone directories, some
   types of training materials.

   WHIRLPOOL PUBLIC - Information officially released by Whirlpool for
   widespread public disclosure.  Example: Press releases, public
   marketing materials, employment advertising, annual reports, product
   brochures, the public web site, etc.

   The policy also states that privacy markings are allowable.
   Specifically:

   For WHIRLPOOL INTERNAL, additional markings or caveats are optional
   at the discretion of the information owner.

   For WHIRLPOOL CONFIDENTIAL, add additional marking or caveats as
   necessary to comply with regulatory or heightened security
   requirements.  Examples: MAKE NO COPIES, THIRD PARTY CONFIDENTIAL,
   ATTORNEY-CLIENT PRIVILEGED DOCUMENT, DISTRIBUTION LIMITED TO ____,
   COVERED BY A NON-ANALYSIS AGREEMENT.

2.2 S/MIME Classification Label Organizational Examples

   RFC 2634 [ESS] defines the ESSSecurityLabel syntax and processing
   rules.  This section builds upon those definitions to define detailed
   example policies.

2.2.1 Security Label Components

   The examples are detailed using the various components of the
   eSSSecurityLabel syntax.

2.2.1.1 Security Policy Identifier

   A security policy is a set of criteria for the provision of security
   services.  The eSSSecurityLabel security-policy-identifier is used to
   identify the security policy in force to which the security label
   relates.  It indicates the semantics of the other security label
   components.



Nicolls                      Informational                      [Page 6]

RFC 3114       Implementing Company Classification Policy       May 2002


   For the example policies, the following security policy object
   identifiers are defined:

   -- S/MIME Working Group Object Identifier Registry
   id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
                                  rsadsi(113549) pkcs(1) pkcs-9(9) 16 }

   -- S/MIME Test Security Policy Arc
   id-tsp  OBJECT IDENTIFIER ::= { id-smime 7 }

   -- Test Security Policies
   id-tsp-TEST-Amoco          OBJECT IDENTIFIER ::= { id-tsp 1 }
   id-tsp-TEST-Caterpillar    OBJECT IDENTIFIER ::= { id-tsp 2 }
   id-tsp-TEST-Whirlpool      OBJECT IDENTIFIER ::= { id-tsp 3 }

2.2.1.2 Security Classification

   The security classification values and meanings are defined by the
   governing company policies.  The security-classification values
   defined are hierarchical and do not use integers 0 through 5.

   Amoco-SecurityClassification ::= INTEGER {
     amoco-general (6),
     amoco-confidential (7),
     amoco-highly-confidential (8) }

   Caterpillar-SecurityClassification ::= INTEGER {
     caterpillar-public (6),
     caterpillar-green (7),
     caterpillar-yellow (8),
     caterpillar-red (9) }

   Whirlpool-SecurityClassification ::= INTEGER {
     whirlpool-public (6),
     whirlpool-internal (7),
     whirlpool-confidential (8) }

2.2.1.3 Privacy Mark

   Privacy marks are specified the Whirlpool policy.  The policy
   provides examples of possible markings but others can be defined by
   users as necessary (though no guidance is given).  The Whirlpool
   policy provides the following examples: MAKE NO COPIES, THIRD PARTY
   CONFIDENTIAL, ATTORNEY-CLIENT PRIVILEGED DOCUMENT, DISTRIBUTION
   LIMITED TO ____, and COVERED BY A NON-ANALYSIS AGREEMENT.






Nicolls                      Informational                      [Page 7]