"Anton Stiglic" <[EMAIL PROTECTED]> writes:

>But the problem is how can people who know nothing about security evaluate
>which vendor is most committed to security? For the moment, FIPS 140 and CC
>type certifications seem to be the only means for these people...

Yeah, it's largely a case of looking where the light is.  An extreme example
of this is the use of formal methods for high-assurance systems, as required
by FIPS 140-2 level 4.  Why is it in there?  Because FIPS 140-1 had it there
at the highest levels.  Why was it in there?  Because the CC has it in there
at the highest levels.  Why was it in there?  Because the ITSEC had it in
there at the highest levels.  Why was it in there?  Because the Orange Book
('85) had it in there at the highest levels.  Why was it in there?  Because
the proto-Orange Book ('83) had it in there at the highest levels.  Why was it
in there?  Because in the 1970s some mathematicians hypothesised that it might
be possible to prove properties of complex programs/systems in the same way
that they proved basic mathematical theorems.

(Aside: This is starting to sound like that apocryphal "Why are railway tracks
 spaced X units apart" saga).

To continue: At what point in that progression did people realise that this
wasn't a very practical way to build a secure system?  Some time in the late
1970s to early 1980s, when they actually tried to reduce the theory into
practice.  There were quite a number of papers being published even before the
first proto-Orange Book appeared which indicated that this approach was going
to be extremely problematic, with problems... well, insert the standard
shopping list here.

So why is this stuff still present in the very latest certification
requirements?  Because we're measuring what we know how to measure, whether it
makes sense to evaluate security in that way or not.  This is probably why
penetrate-and-patch is still the most widely-used approach to securing
systems.  Maybe the solution to the problem is to figure out how to make
penetrate-and-patch more rigorous and effective...

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to