From owner-freebsd-security@FreeBSD.ORG Mon Mar 13 22:57:00 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77AA616A400 for ; Mon, 13 Mar 2006 22:57:00 +0000 (UTC) (envelope-from eol1@yahoo.com) Received: from web51905.mail.yahoo.com (web51905.mail.yahoo.com [206.190.48.68]) by mx1.FreeBSD.org (Postfix) with SMTP id DDC5543D48 for ; Mon, 13 Mar 2006 22:56:59 +0000 (GMT) (envelope-from eol1@yahoo.com) Received: (qmail 40919 invoked by uid 60001); 13 Mar 2006 22:56:59 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=c7oQYNrW1SggRycUJe7IgJApTC417wt60/Yd1lNTHe5xL4gLunFVr79Q9TvPqzrVJxxTDSOnHMTzG9XFlNwZfrSwdvQjNvPa2hV7QsNjs1bl/2tt9nDPb7Zy7k0fXkjYu9icfvdRZgQL8/M6amzzTJCWB2o1MQUzaosYMpwM5Zs= ; Message-ID: <20060313225659.40917.qmail@web51905.mail.yahoo.com> Received: from [195.229.241.180] by web51905.mail.yahoo.com via HTTP; Mon, 13 Mar 2006 14:56:59 PST Date: Mon, 13 Mar 2006 14:56:59 -0800 (PST) From: Peter Thoenen To: Thorsten Steentjes In-Reply-To: <20060313175458.GA79121@duke.tm.priv> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: DSD Approved Products X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: eol1@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2006 22:57:00 -0000 --- Thorsten Steentjes wrote: > Could you please explain what you mean with loophole in that context? Arg..going to make be track down obscure government regs are you ... been a couple years since I did IA work :) Unsure exactly which higher level US Department of Defense Instruction this loophole was originally derived from but US Army Regulation 25-2 Information Assurance, dated 03JUN14 Section II 4-6l states 'Use of “open source” software (for example, Red Hat Linux) is permitted when the source code is available for examination of malicious content, applicable configuration implementation guidance is available and implemented, a protection profile is in existence, or a risk and vulnerability assessment has been conducted with mitigation strategies implemented with DAA and CCB approval. Notify NETCOM RCIOs and the supporting RCERT/TNOSC of local software use approval.' So infact what it is saying is open source software is exempt from the CSLA process provided the local Designated Approving Authority (read in corporate speak: Division President) approves it. Yes this has been debated at multiple high level theater conferences and yes this really is what it says (some anti-OSS IA guys felt it was still a bit vague and hence prohibited). It has been clarified to read exactly what it implies above. NOTE: Yes I used to be a US Army IA policy wonk years ago.