[cgl_discussion] Latest draft on security requirements

Mika Kukkonen mika at osdl.org
Tue Nov 12 14:20:30 PST 2002

On ti, 2002-11-12 at 14:01, Stephen Hemminger wrote:
> On Tue, 2002-11-12 at 13:50, Mika Kukkonen wrote:
> > On ti, 2002-11-12 at 12:12, Stephen Hemminger wrote:
> But do the CGL requirements meet the required international standards?

Well, most goverments feel that they want to create their own
_confidential_ security specifications, instead of using publicly
available "standards".

> and are these standards likely to be applied to commercial systems?

If by commercial systems you refer to banks, I actually might agree, but
if you refer to Yahoo or Ebay, I disagree. Crafty businessmen are always
ready to save sizable amount of money now by risking a reasonable loss
in future.

> The problem is that it just isn't paranoid enough; knowing the security
> folks in DRM environments, this just doesn't go far enough.  Really
> think that without TCA platform support the rest of the infrastructure
> becomes a Maginot line of security (ie. looks big and tall but the army
> of hackers just march around it).

OK, so what you are saying is that for a system to be really secure, you
need specialised hardware? I agree with that, but it is definitely _not_
in CGL-WG's scope to start defining such hardware, or even interfaces
towards such hardware (that would be such a can of worms that as a legal
alien in US my palms get sweaty from even thinking about such a thing).

But I guess we could add a fifth level of security ("Hardware assisted
security"?) to the spec and just say that it is not in our scope.

"Good ideas do not die, they just lie down and get recycled." -- me

More information about the cgl_discussion mailing list