From owner-freebsd-security@FreeBSD.ORG Thu Aug 14 00:35:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F25637B401 for ; Thu, 14 Aug 2003 00:35:54 -0700 (PDT) Received: from tsunami.cyberdoom.org (ip212-226-145-17.adsl.eunet.fi [212.226.145.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76B6743FBD for ; Thu, 14 Aug 2003 00:35:52 -0700 (PDT) (envelope-from dan.airinen@cyberdoom.org) Received: from daemon.cyberdoom.org (daemon.cyberdoom.org [212.226.145.19]) by tsunami.cyberdoom.org (Postfix) with ESMTP id E6E24188D19; Thu, 14 Aug 2003 10:35:45 +0300 (EEST) Received: from daemon.cyberdoom.org (daemon.cyberdoom.org [212.226.145.19]) by daemon.cyberdoom.org (8.12.9/8.12.9) with ESMTP id h7E7ZkxQ004608; Thu, 14 Aug 2003 10:35:46 +0300 (EEST) (envelope-from dan@cyberdoom.org) Date: Thu, 14 Aug 2003 10:35:46 +0300 (EEST) From: Dan Airinen To: Mike Hoskins In-Reply-To: <20030813190151.X4965@fubar.adept.org> Message-ID: <20030814102846.K4594-100000@daemon.cyberdoom.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: security@freebsd.org Subject: Re: Certification (was RE: realpath(3) et al) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2003 07:35:54 -0000 Should we do actual work first for the OS, and then consider getting the certification ?. The more actual work we do, the better we look (and feel ;)). I guess OpenBSD doesn't have any certification, but still goverments and company's uses them. Only my $0.20 On Wed, 13 Aug 2003, Mike Hoskins wrote: > On Tue, 12 Aug 2003, Robert Watson wrote: > > The real upshot of all this, btw, is that security evaluation against the > > CC and related specs will have very little relationship to closing bugs > > associated with realpath(), et al. A source code auditing effort, funded > > or otherwise, would still be extremely useful, but the goal would have to > > be a more pragmatic "fewer bugs", and not a certification "Grade A > > Security" :-). > > firstly, i highly respect your opinions... based upon past correspondance > and the work i've seen from you. > > i also agree with what you say here, in some sense. that is, we want > fewer bugs more than certification X. however, while 'fewer bugs' is the > better thing in the minds of most coders/admins... 'grade A security' is > often the most prominent thing in the minds of the people with money... > often the people who make the decissions. i.e. which OS gets installed on > FBI and NSA computers. ;) lots of beuracracy there... so having > 'certification X' could get fbsd in doors it would not otherwise be > allowed to enter. that's not purely a security issue, but certianly one > i'd like to consider as important. however, i fully agree this portion of > the discussion can move to -advocacy. > > if we can agree on a given cert that's worthwhile (in some sense, like the > one SuSe seems to have accquired)... who is the best person to make the > case to -advocacy? i haven't been subscribed in awhile, but i guess it's > time to re-subscribe. :) how hard would it be to get corporations > involved? even without massive corporate support, if the issue is given > enough visibility... i'd think getting smaller donations from a large > number of people should not be impossible. (people do buy CDs, > afterall...) > > -mrh > > -- > From: "Spam Catcher" > To: spam-catcher@adept.org > Do NOT send email to the address listed above or > you will be added to a blacklist! > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >