OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Raju Mathur (rajuLINUX-DELHI.ORG)
Date: Sat Feb 03 2001 - 09:40:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    >>>>> "Phil" == Phil Scarr <prscarrGREYMOUSER.COM> writes:

        Phil> [snip]

        Phil> While there has been a lot of hyperbole strewn about on this
        Phil> topic, I figured I'd go out on a very long, slender limb and
        Phil> agree with the stated purpose of this new
        Phil> conspiracy/cabal/clique/whatever.

        Phil> I agree that TLDs should have early access to security
        Phil> related issues. I can also make the same argument for
        Phil> vendors who ship bind as part of their offerings, especially
        Phil> OS vendors like Sun, HP and IBM.

    It is unlikely that anyone would quibble with that point. To me, the
    scary part is that so much power rests in the hand of one single
    organisation (or even one single person). ISC and Paul Vixie decide
    unilaterally who gets to join the BMG for money, who gets to join it
    for free, and who doesn't get to join it. I'm no Microsoft lover, but
    what if ISC decides that MS doesn't get to be part of the BMG (BIND
    doesn't ship with Windows by default, does it?)? Does that mean that
    all the Hotmail nameservers are vulnerable to new named exploits until
    the BMG decides to release a patch? How does ISC decide which Linux
    vendors can be given free participation in the BMG, which have to pay,
    and which aren't eligible at all? Will I automatically get free
    membership of the BMG If I make my own Hindi Linux distribution for
    use in North India and get 3 people to use it? How about an Iraqi
    Linux distribution (Iraq is prohibited from downloading strong
    cryptography from most countries and thus cannot easily conform to the
    S/MIME/PGP requirement)?

    I'd strongly urge Paul Vixie and the BMG to have a coherent membership
    policy answering these questions before thay take any further steps
    and make any more announcements regarding the BMG. A clear-cut,
    coherent public membership policy would go a long way towards
    alleviating the concern that the announcement has created in the
    security and Internet communities. The policy will also enable
    developers and other concerned people to decide whether ISC BIND and
    the BMG are sufficiently open to prevent a fork of the source or not.

        Phil> [more snip]

    Regards,

    -- Raju 

    --
Raju Mathur          rajukandalaya.org           http://kandalaya.org/