'[Security_sig] Latest draft of CGL security spec'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       osdl-security-sig
Subject:    [Security_sig] Latest draft of CGL security spec
From:       "Cihula, Joseph" <joseph.cihula () intel ! com>
Date:       2005-04-19 15:54:51
Message-ID: CA95C29D57188841ABB072EA7357C00D08175501 () orsmsx402 ! amr ! corp ! intel ! com
[Download RAW message or body]

["warning1.txt" (text/plain)]

WARNING: This e-mail has been altered by MIMEDefang.  Following this
paragraph are indications of the actual changes made.  For more
information about your site's MIMEDefang policy, contact
OSDL <osdl_support@osdl.org>.  For more information about MIMEDefang, see:

            http://www.roaringpenguin.com/mimedefang/enduser.php3

Watch out!  The file 'cgl_v31_draft_security v08.doc' may be dangerous!
While no specific virus was detected, there are signatures present in the
file that could be from a currently unknown Virus.

["warning1.txt" (text/plain)]

WARNING: This e-mail has been altered by MIMEDefang.  Following this
paragraph are indications of the actual changes made.  For more
information about your site's MIMEDefang policy, contact
OSDL <osdl_support@osdl.org>.  For more information about MIMEDefang, see:

            http://www.roaringpenguin.com/mimedefang/enduser.php3

Watch out!  The file 'cgl_v31_draft_security v08.doc' may be dangerous!
While no specific virus was detected, there are signatures present in the
file that could be from a currently unknown Virus.

[Attachment #4 (multipart/alternative)]


Attached is the latest draft of the CGL security spec.

I believe that there are only two open issues with it:
1.  There has been some debate about whether it should include
requirements for secure default settings (it currently does not).  While
in principle I think that this is a good thing, I don't think that this
version of the specification is appropriate for it.  This is the first
version of the CGL security specification and it will be good just to
get a solid set of base requirements out to the industry before
complicating it with default settings.  Also, this spec will be part of
the CGL 3.1 release, which is just an incremental release (mainly to
include security) and so impacting the rest of the specs (as the
defaults would cover requirements in those specs as well) is probably
not advised for a point release.  That said, I'm open to opinions.
2.  SEC.3.1 Log Integrity and Origin Authentication does not have any
PoCs that are more recently active than 2003.  It was a P1 requirement
from the CGL 2.0 spec.  I propose that it be moved to the roadmap
section due to lack of PoC activity.

(I would post a PDF version but Word can't format it correctly for
printing--tech writer to fix).

> Joseph Cihula
> (Linux) Software Security Architect
> Intel Corp.
> 
> *** These opinions are not necessarily those of my employer ***
 <<cgl_v31_draft_security v08.doc>> 

[Attachment #7 (text/html)]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7226.0">
<TITLE>Latest draft of CGL security spec</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=2 FACE="Arial">Attached is the latest draft of the CGL security \
spec.</FONT> </P>

<P><FONT SIZE=2 FACE="Arial">I believe that there are only two open issues with \
it:</FONT>

<BR><FONT SIZE=2 FACE="Arial">1.&nbsp; There has been some debate about whether it \
should include requirements for secure default settings (it currently does \
not).&nbsp; While in principle I think that this is a good thing, I don't think that \
this version of the specification is appropriate for it.&nbsp; This is the first \
version of the CGL security specification and it will be good just to get a solid set \
of base requirements out to the industry before complicating it with default \
settings.&nbsp; Also, this spec will be part of the CGL 3.1 release, which is just an \
incremental release (mainly to include security) and so impacting the rest of the \
specs (as the defaults would cover requirements in those specs as well) is probably \
not advised for a point release.&nbsp; That said, I'm open to opinions.</FONT></P>

<P><FONT SIZE=2 FACE="Arial">2.&nbsp; SEC.3.1 Log Integrity and Origin Authentication \
does not have any PoCs that are more recently active than 2003.&nbsp; It was a P1 \
requirement from the CGL 2.0 spec.&nbsp; I propose that it be moved to the roadmap \
section due to lack of PoC activity.</FONT></P>

<P><FONT SIZE=2 FACE="Arial">(I would post a PDF version but Word can't format it \
correctly for printing--tech writer to fix).</FONT> </P>

<P><FONT SIZE=2 FACE="Arial">Joseph Cihula</FONT>

<BR><FONT SIZE=2 FACE="Arial">(Linux) Software Security Architect</FONT>

<BR><FONT SIZE=2 FACE="Arial">Intel Corp.</FONT>
</P>

<P><FONT SIZE=2 FACE="Arial">*** These opinions are not necessarily those of my \
employer ***</FONT>

<BR><FONT FACE="Arial" SIZE=2 COLOR="#000000"> &lt;&lt;cgl_v31_draft_security \
v08.doc&gt;&gt; </FONT> </P>

</BODY>
</HTML>


["cgl_v31_draft_security v08.doc" (application/msword)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic