Re: I-417: Association Of Information Flow Attributes W/Subjects And Information
- Subject: Re: I-417: Association Of Information Flow Attributes W/Subjects And Information
- From: "NIAP Interpretations Board" <faigin@aero.org>
- Date: Thu, 31 Jul 2003 19:30:09 -0700
- Content-description: Mail message body
- Content-transfer-encoding: 7BIT
- Content-type: text/plain; charset=US-ASCII
- Priority: normal
- Reply-to: cc-cmt@nist.gov
Mr. Yakota asked if the words of FDP_IFF meant that one must specify attributes
for both subjects and information?
The answer is that one must specify attributes for whatever entities are
involved in decision making under the information flow policy. If this is a
traditional "MAC" (label-based) policy, then it would be the label of the
subject and the label of the object. However, the policy might not involve
subjects at all, being based instead on the characteristics of information
flowing between two devices.
Access control policies are more likely to have subjects, as they typically
involve some active entity accessing a passive entity (i.e., subject accessing
an object).
Lastly, Mr. Yakota asked if it was acceptable to associate an attribute to all
subjects and objects/information? The answer is that it depends on the specific
policy.
The specific words used in FDP can be confusing, and as Mr. Yakota has
highlighted over the past year, are imprecise and potentially misleading when
looked at extremely closely. We encourage folks not to get wrapped up in the
low-level nuances, because the authors likely didn't focus on them. However, do
raise the question, so that hopefully in a future version of the criteria,
better vetting can be performed on such nuances.
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov