Jonathan McCown <JMCCOWN @
> Marcus helped us in the beginning, but felt we were
> not rigorous enough.
Actually, that's not *quite* it. I feel there's an inherent tension
in any certification process depending, in a nutshell, on who is
paying for it. It's not that I felt that NCSA wasn't being rigorous
enough -- it's that I felt NCSA would always be between a rock
and a hard place, and your efforts would always be hampered
by questions about choosing the right level of rigorousness!!
When I think back to the discussions we had back then (and this was a
while ago!) I recall that I was mostly annoyed that the people who
really "owned" the problem stayed silent. Folks like NIST and other
(ahem) nameless branches of the government that also, because of
funding or procurement politics or office politics or the fact that
they've got an obsolete spook mindset couldn't contribute to a
I recall the bulk of the discussion went something like this --
mjr (philosophizing): The problem with certification is that to
certify something, you must first
decide what is "good" and then only
certify things that are "good." This
will tend to annoy those who don't
agree on your definition of "good."
Bales & Tippett: BUT - a certification programme can be
useful without a globally accepted
definition of "good." We start with a
baseline criterion and keep raising
the bar from there.
Truth is, I think both positions are reasonable, but they can't
co-exist very well. What's funny is that in the long run, I think
my philosophical position was too extreme. I was ignoring the
fact that firewall technologies are now all approximately
equally "good" and that the biggest factor affecting an individual
firewall's security is how the end user configures it. I guess a
good analogy would be NTSB testing seatbelts -- as long as it
is strong enough, then the real problem is making sure that
the user *wears* it.
Marcus J. Ranum, Network Flight Recorder, Inc.
<A HREF=http://www.amazon.com/exec/obidos/ISBN=047118148X>New BooK!</A>