[cgl_specs] Re: [cgl_discussion] Latest draft on security requirements

Stefano Campadello stefano.campadello at nokia.com
Wed Nov 20 02:24:54 PST 2002


On Wed, 13 Nov 2002, ext Peter Badovinatz wrote:

> Stephen Hemminger wrote:
> >
> > Be careful about (REQ-SEC-3.3.1) Digital signature verification of
> > binaries.  There are several patents on signed code and some of the IP
> > holders are known to be litigious.  InterTrust (soon to be
> > Sony/Philips), Microsoft, Intel and probably others have a big stake in
> > this.
>
> An interesting point.  But I would like to pare back the 'requirement'
> in a way to be "the necessity of verifying binaries on your system".  A
> digital signature is actually a solution to this.  Note that I can't
> really identify, off-hand, any other solutions.  But we avoid the
> hot-button phrase of 'digital signature' in the requirement.
>
> I do not want to simply drop this whole subject because of the patent
> issue.  Are there other ways to solve the problem?  Rephrasing, as I
> did, opens up the thought process I hope.
>

I agree with the fact that (the possible existence of) patents shouldn't
refrain us to write our requirements. Maybe we should state somewhere
in the req. document that such patents could exist.

Stefano


 ----------------------------------------------------------------
 Stefano Campadello        Phone:  +358 50 4837503
 Nokia Research Center     Fax:    +358 7180 36308
 P.O.Box 407               Email:  Stefano.Campadello at nokia.com
 FIN-00045 NOKIA GROUP     Office: Itmerenkatu 11-13,
 Finland                   FIN-00180, Helsinki, Finland
 ----------------------------------------------------------------






More information about the cgl_discussion mailing list