[894] in WWW Security List Archive
Re: Netscape's purported RNG
daemon@ATHENA.MIT.EDU (Beth Frank)
Thu Sep 21 13:49:14 1995
From: efrank@ncsa.uiuc.edu (Beth Frank)
To: www-security@ns2.rutgers.edu
Date: Thu, 21 Sep 1995 09:26:18 -0500 (CDT)
In-Reply-To: <199509211235.MAA02857@trilane.EBT.COM> from "Don Stinchfield" at Sep 21, 95 12:35:44 pm
Errors-To: owner-www-security@ns2.rutgers.edu
> Instead of dicsussing internal mechanisms for providing high quality
> products I think we should be discussing external mechanisms
> for proving the security claims of a product. I'm not sure how difficult
> this may be but a set of conformance tests could be created (?) that can
> be used to verify that a product has achieved its desired security level.
> Otherwise, beyond a companies claim that its products provide security,
> there is no way for a user to verify a product's security capabilities.
> But, if a product has passed the www-security conformance test suite then
> the user is assured that at least some level of security has been verified.
>
> My two cents.
>
> Regards,
> Don
>
I would like to second this idea. NCSA has been spending increasing
amounts of effort in order to make our software secure. It would be
nice to be able to put our software through some security test or
standard created by an independant group and be able to point to a
seal of approval, rather than just saying "trust us, we've reviewed
it".
--
Elizabeth(Beth) Frank
NCSA Server Development Team
efrank@ncsa.uiuc.edu
