[Security_sig] 03/31 Conf. call minutes
chrisw at osdl.org
Thu Mar 31 10:25:07 PST 2005
Joseph Cihula (Intel)
Ed Reed (Novell)
Emily Ratliff (IBM)
Serge Hallyn (IBM)
Chris Wright (OSDL)
Matt Anderson (HP)
Mary Edie (OSDL)
- CGL security spec
- DCL security spec
- DTL (-ish) directory style authentication
- OLS BoF material
- any other business
Chris: Find editable version of CGL spec.
Matt: Sent a document out, and worked in some new links (like TPM).
Matt: All that's really left is intro/ending text.
Mary: John Cherry mentions May 3rd, is it on schedule?
Matt: OK, I was working towards mid April (because I will be on
Joseph: Need to incorporate the feedback from the last F2F as well, hope
to work on that over the weekend.
Ed: Mailed out the first cut outline for DCL that parallels the CGL
outlline and exposes some of my depth first examinations.
Ed: Shor list of target system vs objective tables...i.e. database
server needs to meet these objectives, mid-tier server meet these, etc.
I added the internal infrastructure as well, may be out of scope for
Mary: No it's within scope, we just spend much more time on database and
app server because
Ed: Functionality table, itemzation of the best practices that we need
to support. E.g. POSIX style password handling.
Joseph: Do you expect the function table to be matrixed by the profiles or
a superset of the profile?
Ed: Matrixed. Objectives per-profile.
Ed: Assurance table. Docs, arch doc with security items highlighted,
install docs with security relevant bits...Installation, delivery
mainenance. Testing...a part of package build process to give smoke
test on functionality.
Mary: What can happen between now and the next phone call.
Ed: Cleared my plate of a few things, and should have some hotel time
next week to work on this.
Mary: Emily, this work for you?
Emily: Excellent start. Sets the direction.
Ed: Any course direction changes?
Emily: Not off the top of my head, looks like a good starting point.
Mary: Glossary of terms?
Ed: It's in definitions section.
Emily: There's an RFC. I can dig that up.
Mary: NFSv4 test matrix is divided into 5 categories. Security is one
of them that's coming up. I'd like to get someone with security or
security NFS testing experience.
Matt: Maybe James Carter from NSA would be a good candidate?
Chris: Yes, although he's been pretty focused on passing security labels
in the protocol for SELinux. But this would be looking at (header
security, etc...). It would be useful to also find someone who's had
some experience in specifically testing NFS security.
Mary: How should we integrate the effort? They're moving forward in the
next couple weeks on this.
Chris: We could have someone from the NFSv4 side give us a preview of
the testing plans they have and the work they'd like to get done, and
then we can get someone from security sig to work with them. Next conf
Mary: That'd be great.
Ed: It'd be nice to see the comparison of v2/v3 vs. v4 for security,
esp. for someone who's not followed NFS closely.
Chris: Could be done in the call.
Ed: Esp. if they sent some reading material to preview beforehandl.
Chris: Mary do you still have contact with Chris Johnson? Perhaps he
could get us in touch with someone at least for a quick brain dump of
what they're doing.
Mary: Yes, I don't know what they're doing for _Linux_ and NFSv4, but
certainly they're testing their own product.
Chris: Directory authentication?
Ed: Kerberos or LDAP (to avoid using NIS). Some closed smart card
Novell product as well.
(more conversation, poorly captured to say: there are some gaps here,
and opensource may be slow to catch up in this area for a while --
please reply to this email if there are specifics you want captured in
Chris: As we've talked about earlier, when we see the desktop
requirement that places requirement on the server side, we should
be tracking that in DCL.
Ed: It's in my outline under infrastructure/authentication.
Chris: OLS BoF has been requested. Be good to start building our agenda
out. I think Emily said some folks from her team will be there, Ed
showed interest, Matt??
Emily: I think this sort of thing just falls out natually as we get
Chris: I agree, it's tough to plan ahead for things that could've
changed by the time you get there. But it's nice to have some notion of
an agenda, to help people who may plan to attend. If there's anything
you'd like send it to the list.
Ed: DCL should be close to done by then, we could go over that.
Mary: It should be already done (LWE is early August).
Ed: Might be a good place to do an early preview.
Mary; Yes, that sounds like a good idea.
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the security_sig