This schema document describes the Security Policy Information File (SPIF) namespace, in a form suitable for import by other schema documents.
A SPIF describes a security labelling policy including:
A SPIF can be used to promote the consistent use of security labels and marking and may be used, for example, to
See http://www.xmlspif.org for further information.
The version of the schema:
An Object IDentifier as a string, for example 1.3.26.1.
For further information see X.680 or www.oid-info.com
The Label and Certificate Value as an integer member type.
The Label and Certificate Value as a string member type.
Typically used for category values rather than classifications.
The Label and Certificate Value type, which is the union of the lacvInt and lacvString types.
This value is encoded within the classification and security categories in a security label or a security clearance (which may be held within a certificate).
The selection integer member type, which allows the specification of the maximum number of selections to be made.
The selection string member type, which have specific values:
The selection type, which is the union of the selectionInt and selectionString types, allows the specification of the maximum number of category values that can be made.
The equivalencyAction type indicates the action to be performed on a category value when mapping a security label to an equivalent policy.
The values are:
The operation type indicates how many of the categories within an optionalCategoryGroup are required.
The values are:
The format of a tagCategory value that can be entered by the user.
The values are:
The hierarchy type represents the hierarchical value of a classification, as opposed to the value that will be placed into a security label or certificate (the lacv).
The hierarchy value is used to determine the dominance of classification values, for example, when making an access control decision.
Classification name - the name of a classification (limited to a maximum of 256 characters).
The classification name is the default marking phrase for the classification.
The classification name is also used to identify any classifications that are excluded by a tagCategory.
An instance of a className type which is referenced by the tagCategory type.
Policy name - the name of a policy (limited to a maximum of 256 characters).
The policy name is also used to identify the policy for equivalent policies, classifications and categoryTags.
Marking phrase - a string (limited to a maximum of 256 characters) that will be used in generation a marking from a security label.
Multiple marking phrases may be concatenated to generate the final marking, and different marking phrases may be used in different locations.
Tag Set Name - the name (limited to a maximum of 256 characters) of a set of tags (or categories).
Generalised Time - a string (limited to a maximum of 256 characters) that represents a time.
It may take one of three forms:
Note that these formats are not currently enforced within the type.
Marking Code - the location to display a marking phrase.
The values are:
An instance of a markingCode type which is referenced by the markingData type.
Tag Type - the type of tag category.
The values are:
Enum Type - the type of an enumerated tag category.
The values are:
Tag7 Encoding - the type of tagType7 (informative) tagType.
The same value must be used for all tagType7 tag categories within a category tag set.
The values are:
Qualifier Code - indicates how a markingQualifier is to be applied
The values are:
Use this value to indicate that the equivalency may be applied when considering the security clearance of the recipient.
The values are:
The color W3C member type, which allows the specification of a color using a standard W3C color name.
The color RGB member type, which allows the specification of a color using Red Green Blue (RGB) values.
The color type, which is the union of the colorW3C and colorRGB types, allows the specification of a color.
A group of attributes that determine the period in which the associated element is valid
An individual category within a tag set or all categories within a tag set.
Typically, these will be used to indicate required or excluded categories for classifications or other categories.
It consists of:
One, and only one, of lacv or all should be present.
An instance of a optionalCategoryData type which is referenced by the optionalCategoryGroup type.
An instance of a optionalCategoryData type which is referenced by the tagCategory type to indicate the excluded tagCategories.
A group of categories together with an associated operation that indicates how many should be selected.
Typically, this will be used to indicate required categories.
It consists of:
An instance of an optionalCategory type which is referenced by the equivalentSecurityTagSet, equivalentClassification, equivalentPolicy, securityClassification and tagCategory types to indicate the required tagCategories.
The updateInfo type is not currently defined.
Identifies the equivalent classification that should be used in an equivalent label in the target policy.
It may also include a set of categories from the specified policy that must also be included in the equivalent label.
It consists of:
An instance of a equivalentClassification type which is referenced by the securityClassification type.
Identifies the equivalent policies into which a label from the SPIF policy may be mapped.
It consists of:
An instance of an equivalentPolicy type which is referenced by the equivalentPolicies type.
The set of all equivalent policies for which equivalent classifications and equivalent categories are defined for the SPIF policy.
It consists of:
An instance of an equivalentPolicies type which is referenced by the SPIF element.
The privacyMark type describes a privacy mark that may be used in security label.
It consists of:
An instance of a privacyMark type which is referenced by the privacyMarks type.
The privacy marks that may be used in the label.
It consists of:
An instance of a privacyMarks type which is referenced by the SPIF element.
The markingData identifies the marking information attached to the data object
It consists of:
If the markingPhrase is absent, then the markingCode applies to the SecurityClassification classificationName, TagCategories secCategoryName or SPIF securityPolicyId name, depending on the component the markingData is associated with.
An instance of a markingData type which is referenced by the objectIdData, securityClassifications, securityClassification, tagCategory, privacyMarks and privacyMark types and the SPIF element.
The securityClassification identifies a valid classification within the policy
It consists of:
An instance of a securityClassification type which is referenced by the securityClassifications type.
The securityClassifications type identifies the valid security classifications within the policy
It consists of:
An instance of a securityClassifications type which is referenced by the SPIF element.
The equivalentSecCategoryTag type identifies an equivalent secCategoryTag in a different security policy
It consists of:
An instance of an equivalentSecCategoryTag type which is referenced by the tagCategory type.
The tagCategory type identifies a tagCategory in a given securityCategoryTag. For example, a value within the "Releasable To" securityCategoryTag.
It consists of:
An instance of an tagCategory type which is referenced by the securityCategoryTag type.
The qualifier type identifies a set of qualifiers.
It consists of:
An instance of a qualifier type which is referenced by the markingQualifier type.
The markingQualifier type contains information that qualifies the markingData associated with a data object (e.g. it specifies a suffix or a prefix).
It consists of:
An instance of a markingQualifier type which is referenced by the objectIdData, securityClassifications, securityClassification, securityCategoryTag, tagCategory, privacyMarks and privacyMark types and the SPIF element.
The securityCategoryTag type provides information to qualify the markingData associated with a data object (e.g. it specifies a suffix or a prefix).
It consists of:
An instance of a securityCategoryTag type which is referenced by the securityCategoryTagSet type.
The securityCategoryTagSet type contains information about a given securityCategoryTagSet (e.g. "Relesable To"), including the allowed values.
It consists of:
An instance of a securityCategoryTagSet type which is referenced by the securityCategoryTagSets type.
The equivalentSecurityCategoryTagSet type contains information for mapping a securityCategoryTagSet to a equivalent securityCategoryTagSet in a different policy which contains the same tagCategory values.
It consists of:
An instance of a equivalentSecurityCategoryTag type which is referenced by the securityCategoryTagSet type.
The securityCategoryTagSets type contains the list of securityCategoryTagSet defined with the security policy.
It consists of:
An instance of a securityCategoryTagSets type which is referenced by the SPIF element.
The objectIdData type contains information about the security policy identifier and how it should be rendered in a marking.
It consists of:
An instance of a objectIdData type which is referenced by the SPIF element.
An instance of a objectIdData type which is referenced by the SPIF element.
An element where vendor or community of interest extensions can be placed to augment the processing of the SPIF.
An instance of an extensions type which is referenced by the SPIF element.
The complete Security Policy Information.
It consists of:
The SPIF also include some constraints to ensure the uniqueness and referential integrity of the elements within the SPIF. These include: