Certification (was RE: realpath(3) et al) - jumping to -advocacy

twig les twigles at yahoo.com
Thu Aug 14 12:13:20 PDT 2003

I am CC'ing -advocacy on this so we can officially move this
thread over (bc getting chastised hurts my inner-child).  Please
don't CC -security anymore, although I am in no position
whatsoever to enforce this request.  Now, to the topic...

I have the distinct pleasure of working at a huge telco so I
have a pretty good sense of what big business wants in
computing, which is: big-name company, commercial, supported,
reliable software/hardware with "canned" interoperability with
other like hardware/software.

So what would really push FreeBSD in the eyes of my non-tech
bosses (legion, for there are many) are things like:

RSA Ace server natively, which I believe the library exists, it
just costs $2000 or so, so this one might be BS.

A large company that has a roll-out hardware/software package. 
This includes support.  I *know* that it is easy to patch/make
world, but the number of "computer engineers" that have never
heard of SSH is astounding.  Management needs a 3rd-party to
bitch about and know will still be around in 5 years.

A console port on the hardware platform.  Have you ever tried
sending management to the pcweasel web site?  

As silly as it sounds (and I understand how silly it sounds), a
certification like the Red Hack one would help.  I apologize
profusely for saying that.

I'm sure I'm missing a lot but if we want a corporate sponsor
like my massive mother company (which rhymes with AT&C) then it
seems like we need different medium companies pushing FreeBSD
instead of redhat as a packaged solution.

--- Robert Watson <rwatson at freebsd.org> wrote:
> On Wed, 13 Aug 2003, Mike Hoskins wrote:
> > i also agree with what you say here, in some sense.  that
> is, we want
> > fewer bugs more than certification X.  however, while 'fewer
> bugs' is
> > the better thing in the minds of most coders/admins... 
> 'grade A
> > security' is often the most prominent thing in the minds of
> the people
> > with money...  often the people who make the decissions. 
> i.e. which OS
> > gets installed on FBI and NSA computers.  ;)  lots of
> beuracracy
> > there...  so having 'certification X' could get fbsd in
> doors it would
> > not otherwise be allowed to enter.  that's not purely a
> security issue,
> > but certianly one i'd like to consider as important. 
> however, i fully
> > agree this portion of the discussion can move to -advocacy. 
> > 
> > if we can agree on a given cert that's worthwhile (in some
> sense, like
> > the one SuSe seems to have accquired)...  who is the best
> person to make
> > the case to -advocacy?  i haven't been subscribed in awhile,
> but i guess
> > it's time to re-subscribe.  :)  how hard would it be to get
> corporations
> > involved?  even without massive corporate support, if the
> issue is given
> > enough visibility...  i'd think getting smaller donations
> from a large
> > number of people should not be impossible.  (people do buy
> CDs,
> > afterall...) 
> SuSe has a low assurance (EAL2) evaluation against a
> custom-written
> evaluation criteria.  I think a much better target would be a
> higher
> assurance level (EAL3) against a consumer-desired target (such
> as CAPP).
> Otherwise, it's really a press release, not an evaluation.  As
> I mentioned
> before, if you want to get into the certification game, what
> you really
> want is an end-consumer in DoD (or wherever) willing to push
> for the
> evaluation of FreeBSD in their organization so that once you
> have it
> evaluated, you have someone who will use it, not to mention
> help you
> navigate the certification waters.  I think smaller donations
> would be
> great, but I also think that the cost you're looking at for
> evaluation is
> probably in excess of what you'd be able to get together in
> small
> donations--to do CAPP at EAL3, I really can't imagine it
> costing less than
> 500k, which is a lot of small donations :-).
> The best way to get FreeBSD evaluated is to make the sell for
> FreeBSD in
> environments that require evaluation -- those places are
> probably capable
> of helping to foot an evaluation bill if they decide they want
> to run
> FreeBSD.  So from an advocacy perspective, that means keeping
> research
> organizations building new technology on FreeBSD, helping
> defense
> contractors use FreeBSD to solve real-world problems, etc.
> I agree the certification has value, but it isn't equivilent
> to code
> review or secure development practices, at least a the lower
> assurance
> levels.  I'd like to see FreeBSD receive certifications a
> great deal, and
> I'd like very much to help provide the technical pieces to
> make that
> possible.  It's one of the important motivations for doing the
> TrustedBSD
> work: make sure that if an organization comes along wanting to
> evaluate
> FreeBSD, we've made it as easy for them as possible by
> providing the
> technical pieces they need.
> Robert N M Watson             FreeBSD Core Team, TrustedBSD
> Projects
> robert at fledge.watson.org      Network Associates Laboratories
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe at freebsd.org"

Emo is what happens when the glee club goes punk.       

Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

More information about the freebsd-advocacy mailing list