Re: Ability to withstand well known attacks

[Bill Sommerfeld <sommerfeld@east.sun.com>]

> What this requirement is saying is "if a vendor hands me piece of
> equipment to test/buy/deploy that has well known
> vulnerabilities/exploits, I (as the customer/operator/purchaser)
> will fail it until the know problems are fixed".  I don't want to
> buy/use broken/breakable systems.

RFCs can be used as standards; customers generally want vendors to
claim compliance to a standard.

The problem with the current text is that *as new exploits* are
discovered, past claims of compliance with section 2.3.8 are
retroactively invalidated because 2.3.8 is a continuously moving
target.

We need language which recognizes this fluid nature.

Bold but brittle claims of total invulnerability to all known attacks
won't help anyone (except maybe the lawyers once lawsuits start
flying..)

With respect to one particular source:

>       *  Bugtraq [Bugtraq] postings

A lot of good info goes by on that list, but there's also a fair
amount of chaff and trash talk on bugtraq; not all the postings
describe known vulnerabilities.  I don't see an objective standard for
how to evaluate whether a bugtraq post describes a "known attack".

bugtraq posts could be one input to an organization which maintains a
known vulnerability list; they themselves are not such a list.

					- Bill