[891] in WWW Security List Archive
Re: Netscape's purported RNG
daemon@ATHENA.MIT.EDU (Don Stinchfield)
Thu Sep 21 11:28:55 1995
From: Don Stinchfield <des@ebt.com>
Date: Thu, 21 Sep 1995 12:35:44 GMT
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Date: Wed, 20 Sep 95 14:00:54 -0700
From: jet@abulafia.genmagic.com (J. Eric Townsend)
|
| The announcement they have on their WWW server implies that they only
| discovered the bug by reading USENET.
|
| Whatever happened to code reviews and diligent SQA?
|
| Not speaking for my employer,
|
Instead of dicsussing internal mechanisms for providing high quality
products I think we should be discussing external mechanisms
for proving the security claims of a product. I'm not sure how difficult
this may be but a set of conformance tests could be created (?) that can
be used to verify that a product has achieved its desired security level.
Otherwise, beyond a companies claim that its products provide security,
there is no way for a user to verify a product's security capabilities.
But, if a product has passed the www-security conformance test suite then
the user is assured that at least some level of security has been verified.
My two cents.
Regards,
Don
