Security Labels and ESS: Backgrounder

Use of security labels is standard practice for handling information in high-security environments. Documents are marked with a label, such as "Secret," and access to information is controlled by an equivalent security clearance. Security labels for online information generally use ESS (Enhanced Security Services for S/MIME - RFC 2634), which is based on the X.411 specification. Compatible security clearances are defined in X.501.

An ESS security label comprises:

  • Policy. This identifies the policy controlling the security label (e.g., NATO).
  • Classification. This is an extensible definition of the label classification (e.g., "Restricted").
  • Privacy Mark. A text description, typically used when printing the security label.
  • Categories. An extensible mechanism to provide additional information within the label, typically to restrict its scope (e.g., to a specific class of information).

A security clearance covers a set of classifications and associated categories. A security clearance is usually referred to as the highest of the classifications included in the clearance. However, it is important to remember that a security label has a single value, whereas a security clearance is a set of values against which a security label is matched.

... Steve Kille

Post a comment

You must be logged in to post a comment. To comment, first join our community.