Re: Package Proposal #1 (Security packages), rev03


Kento Yoshida
 

Thank you for your comments, Punit.

I'll reply to your queries, see the followings.

* sudo-ldap

Is there a specific requirement to include sudo-ldap in favour of plain sudo? IIUC,
sudo is a minimal dependency version while ldap requires additional packages to
be available.
We considered and decided to adopt only sudo binary. As the result, sudo source code includes both sudo and sudo-ldap binaries, but we only need sudo.
LDAP is just example in the requirement and will be needed only specific case. At least, nobody in security working group members want that.

* openssh

Based on the listed requierments, it is not clear why ftp and ssh clients are needed.
Can you please clarify the requirements' text to motivate inclusion of the client
binaries as well.
SSH client is needed as just a run-time dependency for SSH server.

* pam-pkcs11

From my understanding, the package enables login using public / private keys.
But the requirements talk about enforcing the strength of passwords -

"A minimum strength of used passwords needs to be enforced."

Possibly a mixup of package and requirements?
Indeed, the package functionality and the requirement do not match.
In addition, pam-pkcs11 is only required for CR 1.7, it's mean "A minimum strength of used passwords needs to be enforced.", so we should consider again whether we need pam-pkcs11 or not.
Thank you for pointing out this.

* tpm2*

I think libtss2-esys0 is mistakenly included as explicit requirement. It seems to be a
dependency of tpm2-abrmd and will get pulled in automatically as per my
understanding.
Yes. libtss2-esys0 is a dependency tpm2-abrmd and tpm2-tools.
But, it is not just a mistake. The TSS and TCTI libraries located in libtss2-esys0 is important to meet the requirement shown in the description for tpm2*.
So, I expressly include libtss2-esys0 as a required binary not just a dependency.

* uuid-runtime

It’s not clear how the package is related to the requirement -

"Account Identifier shall be unique on a component or system wide
level. Protection of relevant information in rest and transit shall
be supported."

Can you add more details to the requirement to clarify this?
As is, identifier shall be unique, so we need universally unique identifier generator.
Sorry but I don't know what you don't know. This is very simple requirement.

-----Original Message-----
From: Punit Agrawal <punit1.agrawal@toshiba.co.jp>
Sent: Monday, March 9, 2020 7:31 PM
To: Kento Yoshida <kento.yoshida.wz@renesas.com>
Cc: cip-dev@lists.cip-project.org; cip-security@lists.cip-project.org
Subject: Re: [cip-dev] Package Proposal #1 (Security packages), rev03

Hi,

As mentioned earlier, I had some questions / queries regarding the requirements
for the proposed packages. Sending them here for discussion.

Kento Yoshida <kento.yoshida.wz@renesas.com> writes:

Requirements_for_proposal_SecurityWG_rev03.xlsx: the same file which
I've already sent before to explain the requirement in the standard
* sudo-ldap

Is there a specific requirement to include sudo-ldap in favour of plain sudo? IIUC,
sudo is a minimal dependency version while ldap requires additional packages to
be available.


* openssh

Based on the listed requierments, it is not clear why ftp and ssh clients are needed.
Can you please clarify the requirements' text to motivate inclusion of the client
binaries as well.


* pam-pkcs11

From my understanding, the package enables login using public / private keys.
But the requirements talk about enforcing the strength of passwords -

"A minimum strength of used passwords needs to be enforced."

Possibly a mixup of package and requirements?


* tpm2*

I think libtss2-esys0 is mistakenly included as explicit requirement. It seems to be a
dependency of tpm2-abrmd and will get pulled in automatically as per my
understanding.


* uuid-runtime

It’s not clear how the package is related to the requirement -

"Account Identifier shall be unique on a component or system wide
level. Protection of relevant information in rest and transit shall
be supported."

Can you add more details to the requirement to clarify this?
---


Thanks,
Punit

Join cip-dev@lists.cip-project.org to automatically receive all group messages.