I agree with this concern. The National Research Council issued a
report on sensitive but unclassified computing in the US entitled
"Computers at Risk." In that report they suggested that an
independent organization be formed, the Information Security
Foundation. We are about a talking non-government organization
under the direction and review of industry and the information
security profession {of course with an interface to government).
It is hoped that this organization would be given the authority to
reduce export restrictions.
As President of ISSA, I am very interested in seeing this happen.
I have even proposed that ISSA would help to establish such an
organization. IMPORTANT POINT: The ISF (now IISF) would
not be part of ISSA. It is bigger than ISSA or any organization.
The IISF needs to not only provide certification (firewalls,
systems, people, etc.) and testing but standards development and
research. ISSA currently has a committee that is trying to define
the Generally Accepted System Security Principles (GSSP) as also
called for in the Computers at Risk report. The IISF should be a
place to pull all of our activities into a unified direction. This is
what I have proposed to a working group of the President's
National Security & Telecommunications Advisory Council.
>>> Marcus J. Ranum <mjr @
iwi .
com> 09/08/95 10:32pm >>>
>OK folks, imagine there was to be a firewall certification
authority. Who
>would you want them to be? Who do you trust?
First ask if there should be one at all.
Not all firewalls are the same; many have very different
design goals and objectives. For a single authority to certify a
firewall will imply a single authority imposing its idea of
"correct design": a role NSA has adopted in the past with varying
levels of success and questionable benefits to the community.
|
|
