Date: Thu, 14 Aug 2003 12:13:19 -0700 (PDT) From: twig les <twigles@yahoo.com> To: Robert Watson <rwatson@freebsd.org>, Mike Hoskins <mike@adept.org> Cc: security@freebsd.org Subject: Re: Certification (was RE: realpath(3) et al) - jumping to -advocacy Message-ID: <20030814191319.27694.qmail@web10101.mail.yahoo.com> In-Reply-To: <Pine.NEB.3.96L.1030813231835.78678C-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I am CC'ing -advocacy on this so we can officially move this thread over (bc getting chastised hurts my inner-child). Please don't CC -security anymore, although I am in no position whatsoever to enforce this request. Now, to the topic... I have the distinct pleasure of working at a huge telco so I have a pretty good sense of what big business wants in computing, which is: big-name company, commercial, supported, reliable software/hardware with "canned" interoperability with other like hardware/software. So what would really push FreeBSD in the eyes of my non-tech bosses (legion, for there are many) are things like: RSA Ace server natively, which I believe the library exists, it just costs $2000 or so, so this one might be BS. A large company that has a roll-out hardware/software package. This includes support. I *know* that it is easy to patch/make world, but the number of "computer engineers" that have never heard of SSH is astounding. Management needs a 3rd-party to bitch about and know will still be around in 5 years. A console port on the hardware platform. Have you ever tried sending management to the pcweasel web site? As silly as it sounds (and I understand how silly it sounds), a certification like the Red Hack one would help. I apologize profusely for saying that. I'm sure I'm missing a lot but if we want a corporate sponsor like my massive mother company (which rhymes with AT&C) then it seems like we need different medium companies pushing FreeBSD instead of redhat as a packaged solution. --- Robert Watson <rwatson@freebsd.org> wrote: > > On Wed, 13 Aug 2003, Mike Hoskins wrote: > > > i also agree with what you say here, in some sense. that > is, we want > > fewer bugs more than certification X. however, while 'fewer > bugs' is > > the better thing in the minds of most coders/admins... > 'grade A > > security' is often the most prominent thing in the minds of > the people > > with money... often the people who make the decissions. > i.e. which OS > > gets installed on FBI and NSA computers. ;) lots of > beuracracy > > there... so having 'certification X' could get fbsd in > doors it would > > not otherwise be allowed to enter. that's not purely a > security issue, > > but certianly one i'd like to consider as important. > however, i fully > > agree this portion of the discussion can move to -advocacy. > > > > if we can agree on a given cert that's worthwhile (in some > sense, like > > the one SuSe seems to have accquired)... who is the best > person to make > > the case to -advocacy? i haven't been subscribed in awhile, > but i guess > > it's time to re-subscribe. :) how hard would it be to get > corporations > > involved? even without massive corporate support, if the > issue is given > > enough visibility... i'd think getting smaller donations > from a large > > number of people should not be impossible. (people do buy > CDs, > > afterall...) > > SuSe has a low assurance (EAL2) evaluation against a > custom-written > evaluation criteria. I think a much better target would be a > higher > assurance level (EAL3) against a consumer-desired target (such > as CAPP). > Otherwise, it's really a press release, not an evaluation. As > I mentioned > before, if you want to get into the certification game, what > you really > want is an end-consumer in DoD (or wherever) willing to push > for the > evaluation of FreeBSD in their organization so that once you > have it > evaluated, you have someone who will use it, not to mention > help you > navigate the certification waters. I think smaller donations > would be > great, but I also think that the cost you're looking at for > evaluation is > probably in excess of what you'd be able to get together in > small > donations--to do CAPP at EAL3, I really can't imagine it > costing less than > 500k, which is a lot of small donations :-). > > The best way to get FreeBSD evaluated is to make the sell for > FreeBSD in > environments that require evaluation -- those places are > probably capable > of helping to foot an evaluation bill if they decide they want > to run > FreeBSD. So from an advocacy perspective, that means keeping > research > organizations building new technology on FreeBSD, helping > defense > contractors use FreeBSD to solve real-world problems, etc. > > I agree the certification has value, but it isn't equivilent > to code > review or secure development practices, at least a the lower > assurance > levels. I'd like to see FreeBSD receive certifications a > great deal, and > I'd like very much to help provide the technical pieces to > make that > possible. It's one of the important motivations for doing the > TrustedBSD > work: make sure that if an organization comes along wanting to > evaluate > FreeBSD, we've made it as easy for them as possible by > providing the > technical pieces they need. > > Robert N M Watson FreeBSD Core Team, TrustedBSD > Projects > robert@fledge.watson.org Network Associates Laboratories > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ===== ----------------------------------------------------------- Emo is what happens when the glee club goes punk. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030814191319.27694.qmail>