Re: Package Proposal #1 (Security packages), rev03


punit1.agrawal@...
 

Hi Yoshida-san,

Thanks for the clarifications. Where applicable please include them in
the requirements text and / or comments for the relevant packages for
the next update.

One additional comment below -

Kento Yoshida <kento.yoshida.wz@renesas.com> writes:

[...]

* uuid-runtime

It’s not clear how the package is related to the requirement -

"Account Identifier shall be unique on a component or system wide
level. Protection of relevant information in rest and transit shall
be supported."

Can you add more details to the requirement to clarify this?
As is, identifier shall be unique, so we need universally unique identifier generator.
Sorry but I don't know what you don't know. This is very simple
requirement.
I understand the requirement for having ’unique account identifier’
(usernames) but using uuidgen to achieve this seems quite impractical.

For reference, I checked the output of uuidgen included in the package -

$ uuidgen
b865c278-4230-4d5a-b7de-0ee528910095

It generates a 37 character long string of what seems like random hex
values. Are you recommending that we have these kind of strings for
usernames?

Thanks,
Punit


-----Original Message-----
From: Punit Agrawal <punit1.agrawal@toshiba.co.jp>
Sent: Monday, March 9, 2020 7:31 PM
To: Kento Yoshida <kento.yoshida.wz@renesas.com>
Cc: cip-dev@lists.cip-project.org; cip-security@lists.cip-project.org
Subject: Re: [cip-dev] Package Proposal #1 (Security packages), rev03

Hi,

As mentioned earlier, I had some questions / queries regarding the requirements
for the proposed packages. Sending them here for discussion.

Kento Yoshida <kento.yoshida.wz@renesas.com> writes:

Requirements_for_proposal_SecurityWG_rev03.xlsx: the same file which
I've already sent before to explain the requirement in the standard
* sudo-ldap

Is there a specific requirement to include sudo-ldap in favour of plain sudo? IIUC,
sudo is a minimal dependency version while ldap requires additional packages to
be available.


* openssh

Based on the listed requierments, it is not clear why ftp and ssh clients are needed.
Can you please clarify the requirements' text to motivate inclusion of the client
binaries as well.


* pam-pkcs11
From my understanding, the package enables login using public / private keys.
But the requirements talk about enforcing the strength of passwords -

"A minimum strength of used passwords needs to be enforced."

Possibly a mixup of package and requirements?


* tpm2*

I think libtss2-esys0 is mistakenly included as explicit requirement. It seems to be a
dependency of tpm2-abrmd and will get pulled in automatically as per my
understanding.


* uuid-runtime

It’s not clear how the package is related to the requirement -

"Account Identifier shall be unique on a component or system wide
level. Protection of relevant information in rest and transit shall
be supported."

Can you add more details to the requirement to clarify this?
---


Thanks,
Punit

Join cip-dev@lists.cip-project.org to automatically receive all group messages.