Certification (was RE: realpath(3) et al)
Dan Airinen
dan.airinen at cyberdoom.org
Thu Aug 14 00:35:54 PDT 2003
Should we do actual work first for the OS, and then consider getting the
certification ?.
The more actual work we do, the better we look (and feel ;)).
I guess OpenBSD doesn't have any certification, but still goverments and
company's uses them.
Only my $0.20
On Wed, 13 Aug 2003, Mike Hoskins wrote:
> On Tue, 12 Aug 2003, Robert Watson wrote:
> > The real upshot of all this, btw, is that security evaluation against the
> > CC and related specs will have very little relationship to closing bugs
> > associated with realpath(), et al. A source code auditing effort, funded
> > or otherwise, would still be extremely useful, but the goal would have to
> > be a more pragmatic "fewer bugs", and not a certification "Grade A
> > Security" :-).
>
> firstly, i highly respect your opinions... based upon past correspondance
> and the work i've seen from you.
>
> i also agree with what you say here, in some sense. that is, we want
> fewer bugs more than certification X. however, while 'fewer bugs' is the
> better thing in the minds of most coders/admins... 'grade A security' is
> often the most prominent thing in the minds of the people with money...
> often the people who make the decissions. i.e. which OS gets installed on
> FBI and NSA computers. ;) lots of beuracracy there... so having
> 'certification X' could get fbsd in doors it would not otherwise be
> allowed to enter. that's not purely a security issue, but certianly one
> i'd like to consider as important. however, i fully agree this portion of
> the discussion can move to -advocacy.
>
> if we can agree on a given cert that's worthwhile (in some sense, like the
> one SuSe seems to have accquired)... who is the best person to make the
> case to -advocacy? i haven't been subscribed in awhile, but i guess it's
> time to re-subscribe. :) how hard would it be to get corporations
> involved? even without massive corporate support, if the issue is given
> enough visibility... i'd think getting smaller donations from a large
> number of people should not be impossible. (people do buy CDs,
> afterall...)
>
> -mrh
>
> --
> From: "Spam Catcher" <spam-catcher at adept.org>
> To: spam-catcher at adept.org
> Do NOT send email to the address listed above or
> you will be added to a blacklist!
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
More information about the freebsd-security
mailing list