[cgl_discussion] Latest CGL security spec

Steven Dake sdake at mvista.com
Wed Apr 20 13:02:41 PDT 2005


John
I also have some general considerations for the security spec I am
working on with Joseph.  The basic idea is to one-voice sync the
security spec with the other specifications.

Here is what I am thinking feedback welcome.

merge introduction to security spec from introduction and section 2 of
appendix
add section document organizatiopn and make common l&f
add section requirements and roadmap definitions and make common l&f
merge appendix 2-5.5 into beginning of document
keep 6-8 as appendix

This should make a big improvement in one voice without any change to
the requirements...

regards
-steve

On Wed, 2005-04-20 at 10:52, John Cherry wrote:
> On Tue, 2005-04-19 at 09:03 -0700, Cihula, Joseph wrote:
> 
> > 
> > Attached is the latest draft of the CGL security spec.
> > 
> > I believe that there are only two open issues with it: 
> > 1.  There has been some debate about whether it should include
> > requirements for secure default settings (it currently does not).
> > While in principle I think that this is a good thing, I don't think
> > that this version of the specification is appropriate for it.  This is
> > the first version of the CGL security specification and it will be
> > good just to get a solid set of base requirements out to the industry
> > before complicating it with default settings.  
> 
> Let's give the spec a chance and keep it as simple as possible for the
> first release.
> 
> > Also, this spec will be part of the CGL 3.1 release, which is just an
> > incremental release (mainly to include security) and so impacting the
> > rest of the specs (as the defaults would cover requirements in those
> > specs as well) is probably not advised for a point release.  
> 
> It would be difficult to impact the other specifications at this point
> in time.
> 
> > That said, I'm open to opinions.
> 
> 
> > 
> > 2.  SEC.3.1 Log Integrity and Origin Authentication does not have any
> > PoCs that are more recently active than 2003.  It was a P1 requirement
> > from the CGL 2.0 spec.  I propose that it be moved to the roadmap
> > section due to lack of PoC activity.
> 
> Moving SEC.3.1 to the roadmap section should be a proposal for the f2f
> meeting in Paris.  The rationale at this point in time would be that
> there is no development going on with this capability.
> 
> John
> 
> > 
> > (I would post a PDF version but Word can't format it correctly for
> > printing--tech writer to fix).
> > 
> > Joseph Cihula 
> > (Linux) Software Security Architect 
> > Intel Corp.
> > 
> > *** These opinions are not necessarily those of my employer *** 
> > <<cgl_v31_draft_security v08.doc>> 
> > 
> > _______________________________________________
> > cgl_discussion mailing list
> > cgl_discussion at lists.osdl.org
> > http://lists.osdl.org/mailman/listinfo/cgl_discussion
> 
> 
> ______________________________________________________________________
> _______________________________________________
> cgl_discussion mailing list
> cgl_discussion at lists.osdl.org
> http://lists.osdl.org/mailman/listinfo/cgl_discussion




More information about the cgl_discussion mailing list