LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Looks like speculation

Looks like speculation

Posted Apr 9, 2008 14:59 UTC (Wed) by rfunk (subscriber, #4054)
In reply to: Looks like speculation by rfunk
Parent article: Freezing More Than Bits: Chilling Effects of the OLPC XO Security Model 

Er, I should also note (before someone else does), that not all RFCs are 
officially considered standards, and that when they are considered 
official Internet standards they get STD numbers that few people actually 
bother to remember (since they've already been busy implementing the RFC).

(Log in to post comments)

Looks like speculation

Posted Apr 9, 2008 16:24 UTC (Wed) by nix (subscriber, #2304) [Link] 

Yeah, but you don't generally submit something as an RFC while it's still under heavy change:
they go through draft processes first. Under the definition of 'open' used in this document,
that wouldn't be open yet because the standards body hadn't accepted it!

(And submitting something to a standards body is neither necessary nor sufficient nor anything
more than indicative that people are free to implement it: notably, you can have things which
people are free to implement which are not standards, perhaps because all the code is freely
available. You can also have things which are standards which are in practice unimplementable
in full, perhaps because they're huge and somewhat ambiguous like CORBA or C++, or because
they're just too limited to be useful, like the earlier SQL standards.)

Looks like speculation

Posted Apr 11, 2008 13:36 UTC (Fri) by DanWeinreb (subscriber, #51526) [Link] 

When we are talking about security, and saying that it's important for security software to be
"open", what we mean by "open" in this context is that anybody should be able to see how it
works.  You want it to be inspected by experts.  Most important, you want to avoid "security
by obscurity", which experience has shown is a bad principle.

So whether it is standardized by a standards body has absolutely nothing to do with the case.
If a new version comes out, of course that needs to be re-examined and re-audited.  And if no
finalized version has come out yet, that just means that it's not time yet for final auditing,
but it's a great time for the public to point out flaws and suggest improvements.

Some of the papers on Bitfrost are written as if Bitfrost were completely specified,
implemented, in use, and so on.  If so, then someone has grounds for complaint.  But they
should carefully complain about just that, NOT that it's "not open".

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds