Re: [kmip] NIST Security Category

[Mark Joseph <mark@p6r.com>]

Hi Tim,

There is also a new concept of Security Category which I think we should adopt as a NIST Security Category attribute as an integer value (current values 1 through 5 are defined and deliberately not given symbolic names.

NIST Security Category 0x4201C2
(integer value 1 through 5)

The NIST security category is weak.   Having a single number to indicate the sensitivity of data is limiting and won't work for US DOD data.   

(https://en.wikipedia.org/wiki/Classified_information_in_the_United_States) When I worked on a US DOD networking project the data on the

network used labels that where similar to what was used on paper documents which contained at least two indications: a security level (e.g., Secret), and

compartments and special handling instructions (e.g., Crypto) .   Data and people are given the same kind of labeling since just because you have a Secret 

clearance does not mean you can access all Secret data.

KMIP keys, opaque data etc. are still data and should have a complete security attribute.   So a security attribute should be structure and not a single integer 

value (this way it can also be extended).   For commercial applications a structure would be more useful.

Chuck and I proposed this several years ago but it did not go anywhere since every country does this differently and our proposal it got too complicated.

Regards,

Mark Joseph, Ph.D. 

President P6R, Inc 

408-205-0361 

http://www.linkedin.com/pub/mark-joseph/0/752/4b4