Implementing Company Classification Policy with the S/MIME Security Label (RFC3114)
Original Publication Date: 2002-May-01
Included in the Prior Art Database: 2002-May-23
Internet Society Requests For Comment (RFCs)
This document discusses how company security policy for data classification can be mapped to the S/MIME security label. Actual policies from three companies provide worked examples.
Network Working Group W. Nicolls
Request for Comments: 3114 Forsythe Solutions
Category: Informational May 2002
Implementing Company Classification Policy
with the S/MIME Security Label
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document discusses how company security policy for data
classification can be mapped to the S/MIME security label. Actual
policies from three companies provide worked examples.
Security labels are an optional security service for S/MIME. A
security label is a set of security information regarding the
sensitivity of the content that is protected by S/MIME encapsulation.
A security label can be included in the signed attributes of any
SignedData object. A security label attribute may be included in
either the inner signature, outer signature, or both. The syntax and
processing rules for security labels are described in RFC 2634 [ESS].
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT',
'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this
document are to be interpreted as described in RFC 2119 [MUSTSHOULD].
1.1 Information Classification Policies
Information is an asset, but not all information has the same value
for a business. Not all information needs to be protected as
strongly as other information.
Research and development plans, marketing strategies and
manufacturing quality specifications developed and used by a company
provide competitive advantage. This type of information needs
Nicolls Informational [Page 1]
RFC 3114 Implementing Company Classification Policy May 2002
stronger protective measures than other information, which if
disclosed or modified, would cause moderate to severe damage to the
Other types of information such as internal organization charts,
employee lists and policies may need little or no protective measures
based on value the organization places on it.
A corporate information classification policy defines how its
information assets are to be protected. It provides guidance to
employees on how to classify information assets. It defines how to
label and protect an asset based on its classification and state
(e.g., facsimile, electronic transfer, storage, shipping, etc.).
1.2 Access Control and Security Labels
"Access control" is a means of enforcing authorizations. There are a
variety of access control methods that are based on different types
of policies and rely on different security mechanisms.
- Rule based access control is based on policies that can be
- Identity based access control is based on a policy which applies
explicitly to an individual person or host entity, or to a defined
group of such entities. Once identity has been authenticated, if
the identity is verified to be on the...