[ih] GOSIP & compliance

Bill Ricker bill.n1vux at gmail.com
Fri Mar 18 14:41:22 PDT 2022 

On Fri, Mar 18, 2022 at 2:34 PM Andrew G. Malis via Internet-history <
internet-history at elists.isoc.org> wrote:

> It's been a while, but as I recall, as a part of this requirement,
> TCP/IP-to-OSI transition plans were necessary. While I was at BBN, I wrote
> such a transition plan for the MILNET (or it might have been for the DoD as
> a whole, as I said, things are hazy). I'm sure that it just went on a shelf
> somewhere once the requirement for a plan was met.
>

It wasn't just MILNET.
The classified side of DDN (for WIN, DODIIS, SACDIN) was also mandated to
move to ISORM/ISO-OSI, well before UK GOSIP '88 or US FIPS OSI '90 mandates
for civil government.

And since the classified side needed procurement/development to produce
security-labelled variants of protocols and Policy-safe implementations
thereof (and applications to use such!), and thus could not be directly
cloned from the COTS (d)ARPAnet/Internet TCP/IP stack, the classified side
supposedly would lead "procurement driven" ISO-OSI (ISORM) development, to
the benefit of Civil government and secular industry, under the benevolent
gaze of ISO/ITU/IEC.


IIRC it was DoDIIS PMO that was MAP's sponsor at The MITRE† Corporation in
the 1980s.
As a captive QNGO, we didn't compete with Industry; we prototyped,
specified, and provided contract-monitoring-assistance to a PMO.
Specifying a network for the entire Intelligence Community (IC) was
interesting, i gather, since some classification codewords were themselves
classified, how you gonna handle THAT in your network protocols? :-D
Our department also had a field site working with SAC HQ (and presumably
thus SACDIN?).
(I don't remember offhand if WIN was specifically addressed during those
years or if it was just presumed that when DDN could handle the security
issues of SAC and the IC it could handle anything less classified as well.)
† it's a metaphor, not an acronym. no really! :-D
This work was of course coordinated with NATO partners.
(Stopping off in Scotland when returning from NATO tech meetings at SAHQ
Brussels is how MAP did his Scotch research.)
(But I can't speak to whether UK GOSIP '88 was an outgrowth of
DoD=>NATO=>MoD OSI discussions or if there was direct contagion from UK
ISO/IEC.)

According to WikiPedia, the DMS (Defense Messagi(e|ing) System) is still
OSI X.400/X.500/X.509 based. I guess it works well enough ... and there may
be some value in it *not* being overly interoperable ;-).

(My own work while i was with MAP at MITRE was in the provably-secure
Multi-Level software, in uses and limits of cryptography, risk management,
and in labeling complex data - not the network protocols, for which our
Dept had MAP in the next group down the hall. MAP's tales of jousting with
ISORMites at Project meetings - including at our own firm's beltway site !
- i found fascinating but not directly applicable - but informative on the
limits of Proof  to a simple policy.
I should mention that also down the hall was Len LaPadula, and across
campus was Dave Bell, neither of whom expected their simple, academic dual
model <https://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model> of
security and integrity to become _the_ operational standard for DoD
software, since it was both too strong - basically mandated against every
doing anything useful - and too narrow. On the same hallway as Dave were
the ghost-editors of the Rainbow books, and a Honeywell SCOMP with a
negative serial number. The Sun 3-160C that i ordered for our team's
prototyping MLS DBMS UI project using color*  - a new concept in UI in
1984! - was also used by another group to prototype labeled word processing
with Interleaf TPS.  )
*(work of others, it was "my" computer only because i ordered it - but that
meant i had 'root' :-D )

(Being offered rapid promotion to management if i took a rotation through
Omaha SAC HQ where i'd network support that should have been done by
private contractors contributed to my decision to pursue career options
that would not result in classified paragraphs on my resumé. There are
other forms of interesting meta-data besides security classification
tagging!)

More information about the Internet-history mailing list