[Security_sig] Pls review DLT Cap Doc 1.0 Security Section Draft

Emily Ratliff emilyr at us.ibm.com
Fri Jan 7 08:24:52 PST 2005


A few specific comments on the DLT security section:

Data Protection Services - firewall sticks out as probably not belonging in
this section and indeed it has its own section where the same words are
repeated. Recommended references GPG and this OLS paper

Directory Based Authentication - Recommended references winbind and

PKI on Linux is an interesting topic. When you say "Linux should support
PKI", what exactly is meant? OpenSSL provides the basic implementation via
command line. Is that considered sufficient to meet this requirement? Last
time I checked (a couple of years ago) none of the GUI frontends to run a
full infrastructure (creating, revoking, and managing users and
certificates) were really robust enough to provide enterprise level
infrastructure support. If I were trying to conform to this spec, I would
try to argue that OpenSSL is enough. If that is not what you intended, I
would recommend clarifying this requirement.

Local Authorization - rather than saying local ACL database, recommend
pointing to http://acl.bestbits.at/

Passphrase-based File Encryption - recommend referring to GPG again.

X509 Certificate based File Encryption - are both Passphrase and X509 file
encryption mandatory, or would one of the two be sufficient for complying
with the spec? The way that it is written both are required. Perhaps
reference gpgsm

Even if you want to leave out anti-virus, I would recommend some type of
spam amelioration (such as spamassassin) since many of these machines will
be used to access email.

However you get to the actual requirements, I really like this format for
presenting and explaining the requirements.


Emily Ratliff
IBM Linux Technology Center, Security
CISSP #51839
512-838-0409 (T/L 678-0409)
emilyr at us.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux-foundation.org/pipermail/security_sig/attachments/20050107/888bec7e/attachment-0001.htm

More information about the security_sig mailing list