Date: Thu, 14 Aug 2003 10:35:46 +0300 (EEST) From: Dan Airinen <dan.airinen@cyberdoom.org> To: Mike Hoskins <mike@adept.org> Cc: security@freebsd.org Subject: Re: Certification (was RE: realpath(3) et al) Message-ID: <20030814102846.K4594-100000@daemon.cyberdoom.org> In-Reply-To: <20030813190151.X4965@fubar.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Should we do actual work first for the OS, and then consider getting the certification ?. The more actual work we do, the better we look (and feel ;)). I guess OpenBSD doesn't have any certification, but still goverments and company's uses them. Only my $0.20 On Wed, 13 Aug 2003, Mike Hoskins wrote: > On Tue, 12 Aug 2003, Robert Watson wrote: > > The real upshot of all this, btw, is that security evaluation against the > > CC and related specs will have very little relationship to closing bugs > > associated with realpath(), et al. A source code auditing effort, funded > > or otherwise, would still be extremely useful, but the goal would have to > > be a more pragmatic "fewer bugs", and not a certification "Grade A > > Security" :-). > > firstly, i highly respect your opinions... based upon past correspondance > and the work i've seen from you. > > i also agree with what you say here, in some sense. that is, we want > fewer bugs more than certification X. however, while 'fewer bugs' is the > better thing in the minds of most coders/admins... 'grade A security' is > often the most prominent thing in the minds of the people with money... > often the people who make the decissions. i.e. which OS gets installed on > FBI and NSA computers. ;) lots of beuracracy there... so having > 'certification X' could get fbsd in doors it would not otherwise be > allowed to enter. that's not purely a security issue, but certianly one > i'd like to consider as important. however, i fully agree this portion of > the discussion can move to -advocacy. > > if we can agree on a given cert that's worthwhile (in some sense, like the > one SuSe seems to have accquired)... who is the best person to make the > case to -advocacy? i haven't been subscribed in awhile, but i guess it's > time to re-subscribe. :) how hard would it be to get corporations > involved? even without massive corporate support, if the issue is given > enough visibility... i'd think getting smaller donations from a large > number of people should not be impossible. (people do buy CDs, > afterall...) > > -mrh > > -- > From: "Spam Catcher" <spam-catcher@adept.org> > To: spam-catcher@adept.org > Do NOT send email to the address listed above or > you will be added to a blacklist! > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030814102846.K4594-100000>