From owner-freebsd-security@FreeBSD.ORG  Wed Aug 13 20:25:21 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2ED3E37B401
	for <security@freebsd.org>; Wed, 13 Aug 2003 20:25:21 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7EE8143F93
	for <security@freebsd.org>; Wed, 13 Aug 2003 20:25:20 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h7E3OpAL087296;
	Wed, 13 Aug 2003 23:24:51 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)h7E3Op24087293;
	Wed, 13 Aug 2003 23:24:51 -0400 (EDT)
Date: Wed, 13 Aug 2003 23:24:51 -0400 (EDT)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Mike Hoskins <mike@adept.org>
In-Reply-To: <20030813190151.X4965@fubar.adept.org>
Message-ID: <Pine.NEB.3.96L.1030813231835.78678C-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: security@freebsd.org
Subject: Re: Certification (was RE: realpath(3) et al)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Aug 2003 03:25:21 -0000


On Wed, 13 Aug 2003, Mike Hoskins wrote:

> i also agree with what you say here, in some sense.  that is, we want
> fewer bugs more than certification X.  however, while 'fewer bugs' is
> the better thing in the minds of most coders/admins...  'grade A
> security' is often the most prominent thing in the minds of the people
> with money...  often the people who make the decissions.  i.e. which OS
> gets installed on FBI and NSA computers.  ;)  lots of beuracracy
> there...  so having 'certification X' could get fbsd in doors it would
> not otherwise be allowed to enter.  that's not purely a security issue,
> but certianly one i'd like to consider as important.  however, i fully
> agree this portion of the discussion can move to -advocacy. 
> 
> if we can agree on a given cert that's worthwhile (in some sense, like
> the one SuSe seems to have accquired)...  who is the best person to make
> the case to -advocacy?  i haven't been subscribed in awhile, but i guess
> it's time to re-subscribe.  :)  how hard would it be to get corporations
> involved?  even without massive corporate support, if the issue is given
> enough visibility...  i'd think getting smaller donations from a large
> number of people should not be impossible.  (people do buy CDs,
> afterall...) 

SuSe has a low assurance (EAL2) evaluation against a custom-written
evaluation criteria.  I think a much better target would be a higher
assurance level (EAL3) against a consumer-desired target (such as CAPP).
Otherwise, it's really a press release, not an evaluation.  As I mentioned
before, if you want to get into the certification game, what you really
want is an end-consumer in DoD (or wherever) willing to push for the
evaluation of FreeBSD in their organization so that once you have it
evaluated, you have someone who will use it, not to mention help you
navigate the certification waters.  I think smaller donations would be
great, but I also think that the cost you're looking at for evaluation is
probably in excess of what you'd be able to get together in small
donations--to do CAPP at EAL3, I really can't imagine it costing less than
500k, which is a lot of small donations :-).

The best way to get FreeBSD evaluated is to make the sell for FreeBSD in
environments that require evaluation -- those places are probably capable
of helping to foot an evaluation bill if they decide they want to run
FreeBSD.  So from an advocacy perspective, that means keeping research
organizations building new technology on FreeBSD, helping defense
contractors use FreeBSD to solve real-world problems, etc.

I agree the certification has value, but it isn't equivilent to code
review or secure development practices, at least a the lower assurance
levels.  I'd like to see FreeBSD receive certifications a great deal, and
I'd like very much to help provide the technical pieces to make that
possible.  It's one of the important motivations for doing the TrustedBSD
work: make sure that if an organization comes along wanting to evaluate
FreeBSD, we've made it as easy for them as possible by providing the
technical pieces they need.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories