Certification (was RE: realpath(3) et al) - jumping to -advocacy
twig les
twigles at yahoo.com
Thu Aug 14 12:13:20 PDT 2003
I am CC'ing -advocacy on this so we can officially move this
thread over (bc getting chastised hurts my inner-child). Please
don't CC -security anymore, although I am in no position
whatsoever to enforce this request. Now, to the topic...
I have the distinct pleasure of working at a huge telco so I
have a pretty good sense of what big business wants in
computing, which is: big-name company, commercial, supported,
reliable software/hardware with "canned" interoperability with
other like hardware/software.
So what would really push FreeBSD in the eyes of my non-tech
bosses (legion, for there are many) are things like:
RSA Ace server natively, which I believe the library exists, it
just costs $2000 or so, so this one might be BS.
A large company that has a roll-out hardware/software package.
This includes support. I *know* that it is easy to patch/make
world, but the number of "computer engineers" that have never
heard of SSH is astounding. Management needs a 3rd-party to
bitch about and know will still be around in 5 years.
A console port on the hardware platform. Have you ever tried
sending management to the pcweasel web site?
As silly as it sounds (and I understand how silly it sounds), a
certification like the Red Hack one would help. I apologize
profusely for saying that.
I'm sure I'm missing a lot but if we want a corporate sponsor
like my massive mother company (which rhymes with AT&C) then it
seems like we need different medium companies pushing FreeBSD
instead of redhat as a packaged solution.
--- Robert Watson <rwatson at freebsd.org> wrote:
>
> On Wed, 13 Aug 2003, Mike Hoskins wrote:
>
> > i also agree with what you say here, in some sense. that
> is, we want
> > fewer bugs more than certification X. however, while 'fewer
> bugs' is
> > the better thing in the minds of most coders/admins...
> 'grade A
> > security' is often the most prominent thing in the minds of
> the people
> > with money... often the people who make the decissions.
> i.e. which OS
> > gets installed on FBI and NSA computers. ;) lots of
> beuracracy
> > there... so having 'certification X' could get fbsd in
> doors it would
> > not otherwise be allowed to enter. that's not purely a
> security issue,
> > but certianly one i'd like to consider as important.
> however, i fully
> > agree this portion of the discussion can move to -advocacy.
> >
> > if we can agree on a given cert that's worthwhile (in some
> sense, like
> > the one SuSe seems to have accquired)... who is the best
> person to make
> > the case to -advocacy? i haven't been subscribed in awhile,
> but i guess
> > it's time to re-subscribe. :) how hard would it be to get
> corporations
> > involved? even without massive corporate support, if the
> issue is given
> > enough visibility... i'd think getting smaller donations
> from a large
> > number of people should not be impossible. (people do buy
> CDs,
> > afterall...)
>
> SuSe has a low assurance (EAL2) evaluation against a
> custom-written
> evaluation criteria. I think a much better target would be a
> higher
> assurance level (EAL3) against a consumer-desired target (such
> as CAPP).
> Otherwise, it's really a press release, not an evaluation. As
> I mentioned
> before, if you want to get into the certification game, what
> you really
> want is an end-consumer in DoD (or wherever) willing to push
> for the
> evaluation of FreeBSD in their organization so that once you
> have it
> evaluated, you have someone who will use it, not to mention
> help you
> navigate the certification waters. I think smaller donations
> would be
> great, but I also think that the cost you're looking at for
> evaluation is
> probably in excess of what you'd be able to get together in
> small
> donations--to do CAPP at EAL3, I really can't imagine it
> costing less than
> 500k, which is a lot of small donations :-).
>
> The best way to get FreeBSD evaluated is to make the sell for
> FreeBSD in
> environments that require evaluation -- those places are
> probably capable
> of helping to foot an evaluation bill if they decide they want
> to run
> FreeBSD. So from an advocacy perspective, that means keeping
> research
> organizations building new technology on FreeBSD, helping
> defense
> contractors use FreeBSD to solve real-world problems, etc.
>
> I agree the certification has value, but it isn't equivilent
> to code
> review or secure development practices, at least a the lower
> assurance
> levels. I'd like to see FreeBSD receive certifications a
> great deal, and
> I'd like very much to help provide the technical pieces to
> make that
> possible. It's one of the important motivations for doing the
> TrustedBSD
> work: make sure that if an organization comes along wanting to
> evaluate
> FreeBSD, we've made it as easy for them as possible by
> providing the
> technical pieces they need.
>
> Robert N M Watson FreeBSD Core Team, TrustedBSD
> Projects
> robert at fledge.watson.org Network Associates Laboratories
>
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe at freebsd.org"
=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.
-----------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
More information about the freebsd-advocacy
mailing list