[Security_sig] 9/15 Conf. call minutes

Chris Wright chrisw at osdl.org
Thu Oct 13 09:50:42 PDT 2005

	Chris Wright (OSDL)
	Ed Reed (Novell)
	Dennis Wells (Unisys)
	Matt Anderson (HP)
	Mary Edie Meredith (OSDL)
	Emily Ratliff (IBM)


	- DCL security
	- Other security efforts


	- Emily's list
	- Chris's list
	- Mary compare CGL


Chris: DCL security document stalled out.

Emily:  Mary gave us an out by simply delineating the capability gaps,
esp. the high priority ones.

Mary: <recap from last meeting> Chris points out that we aren't getting
anywhere.  I reminded people that DCL goal is to generate missing
capabilities.  Security section in old DCL doc was random collection of
security technology.  The review showed that the capabilities were
insufficient to provide security assurance.  So current doc is working
with that feedback to discover gaps.

Ed: Either a social issue with the discussion

Dennis: CC Eval project manager for RH and Unisys.  Still working
through vulnerability assessment doc.  We'll have a web security app
opening up soon, but don't have many details.

Chris: There are projects that are underway to help push Linux security
forward, esp in the area of CC evaluation.  E.g. audit work (which
served CAPP first, and is now moving on to LSPP), and general LSPP

Dennis: Is audit the new system, or LAuS?

Chris: The new audit subsystem.  LAuS was stop gap for certification,
but wasn't upstreamed.

Ed: LAuS was demonstration of Linux ability to acheive CAPP.

Emily:  File system capabilities patch.  Chris have you looked?

Chris: Yes (I sent Serge some quick feedback about a month ago).

Ed: Lack of time slices 

Emily: Agreed.

Mary: If things are being worked, then we can also simply monitor them.

Emily: Do we talk about competitive gaps as well?

Mary: Yes. Both where we're ahead and where we're behind.  Technical
gaps would be my priority.

Mary: if we could get some of the comments, like list from emily,
the projects chris mentioned, cgl comparison, that would be a starting

Chris: BTW, I forgot to mention distributed authentication (like active
directory) as a gap.

More information about the security_sig mailing list