Re: [No subject]

Housley, Russ (housley@spyrus.com)
Mon, 26 Feb 96 10:05:55

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: KURN_DAVID@Tandem.COM: "IMC outcome: Is MOSS dead?"
Previous message: Bill Wohler: "Re: Acronyms"

Brad:

>>    Earlier, I mentioned that two and a half protocols survived the 
>> day. The remaining one is MSP. It's actually not a bad protocol. It 
>> has two features that none of the others have: the ability to label 
>> classified messages, and a cryptographically strong signed receipt.
>> Both of these functions are highly important for government users. It 
>> looks like government suppliers are going to go ahead and implement 
>> it, and the government is going to use it.
>
>Although these benefits are present in the current MSP, I
>don't see anything inherent in MSP that makes it necessarily superior in these 
>areas.  If you were doing normal MIME-type receipts (whatever that means, since
>I think there are three different drafts under way currently), and you simply 
>added the ability to cryptographically sign a timestamp in the "proper" MIME 
>receipt type, then MSP would lose this advantage.

MSP signed receipts are more than just signed delivery notices.  The content 
from the original message is cryptographically bound to the receipt.  Thus, 
if the receipt validation works correctly, then the original message was 
recieved by the recipient without error.  The originator can prove to a third 
party that the recipient got the message and that the message was not alered 
in transit.

I think that this service acnnot be downplayed.  It is needed for electronic 
commerce.

>I think labeling could potentially be done by follow-on
>versions of other packages as well, since I think we all agree that generic 
>labeling which can be used both for standard gov't-style classification levels 
>and compartments, as well as for business-style sensitivity labeling.  In fact,
>I'd almost be inclined to say that it would likely be as easy (or easier) to 
>create a new general-purpose labeling system for use with any of the 
>competitors than it would be to modify MSP to support business-style labels in 
>addition to the gov't-style labels I'm sure it has today (maybe it already has 
>labels, but I don't think that this is that tough of a problem to solve in any 
>event).

MSP already supports any security policy that uses labels.  The label field 
begins with an object identifier.  This object identifier tells which 
security policy to apply, and it tells the format and interpretation for 
the rest of the label.

Russ

Next message: KURN_DAVID@Tandem.COM: "IMC outcome: Is MOSS dead?"
Previous message: Bill Wohler: "Re: Acronyms"