[Zope3-dev] Certification

Christian Theune ct@gocept.com
18 Jun 2003 22:26:18 +0200


--=-i2wU61T5WzpRjbDJYV8n
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Am Mit, 2003-06-18 um 22.03 schrieb Guido van Rossum:
> > Soon the certification process for Zope 3 is going to be started.
>=20
> AFAIK there are a lot of open ends in the Zope 3 security
> implementation.  For example, every call to removeAllProxies() must be
> reviewed, and in many cases a more secure solution must be coded or
> permissions must be added to the feature that uses it.
>=20
> Isn't it too early to start certification?

Well, the level of certification only happens on a functional level. The
certifications are very expensive and we got a level 1 (EAL-1) sponsored
and the TUEV wants to be done by the end of the year. It merely comes
down to specify and describe the security features people see from the
outside (e.g. "We ask for a username and password before allowing XY"
and "We do log security related function calls to be able to analyze
them") and are only tested if they are there. In this level there is no
code review involved.

I know this is a drawback from a higher level, but we shouldn't forget
that we still are the first open source project (known to the
certification body) who is doing that. And we can upgrade later on as
well.=20

As a last thing: The functional open ends need to be pinned down for the
certification, but nobody denies us implementing more than we have
certified. The only thing is that releases that touch the security code
need to be revalidated, but we will look into that issue during the
workshop.

Cheers,
Christian

--=20
Christian Theune, gocept gmbh & co. kg
http://www.gocept.com - ct@gocept.com
fon: 03496 3099112 fax: 03496 3099118 mobile: 0179 7808366

--=-i2wU61T5WzpRjbDJYV8n
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Dies ist ein digital signierter Nachrichtenteil

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA+8MrqdUt9X/gknwIRApsNAKCokjtntO8ADBebQUQuGw/HiGdb7QCfS7E0
Qimm7KvpanFRUfsRbFMYFf8=
=CNMw
-----END PGP SIGNATURE-----

--=-i2wU61T5WzpRjbDJYV8n--