[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cryptography
Subject:    Re: Security Lab To Certify Banking Applications (was Re: ECARM NEWS for
From:       Tom Weinstein <tomw () geocast ! com>
Date:       1999-07-26 23:39:38
[Download RAW message or body]

"William H. Geiger III" wrote:
> 
> In <v0421012db3be70faae9c@[207.244.108.87]>, on 07/23/99
>    at 03:20 PM, Robert Hettinga <rah@shipwright.com> said:
> 
> >> The Financial Services Security Laboratory will open July 28 in
> >> Reston, Va. The facility will be used to test software packages against
> >> a set of standards for securing e-commerce and bill-payment
> >> applications, as well as browsers and operating software.
> >>
> 
> Well I have my doubts on this. Either they refuse to certify Microsoft &
> Netscape software and alienate 90% of the consumer market, or they do
> certify them making their certification worthless.

While they certainly couldn't certify any browser that included Java or
JavaScript, what about certifying one with the caveat that these features be
turned off?  The vast majority of the security problems in Communicator have
come from strange interactions between, and within the object models of, these
two very powerful languages.  The one notable exception is the fairly recent
buffer overruns in some of the mail attachment code that was not properly
reviewed.

Of course, Windows NT (and IE which we all know is part of the OS) could be
certified as long as it wasn't connected to a network, just as was done for
their C2 certification.

-- 
What is appropriate for the master is not appropriate| Tom Weinstein
for the novice.  You must understand Tao before      | tomw@geocast.com
transcending structure.  -- The Tao of Programming   |

[prev in list] [next in list] [prev in thread] [next in thread]