[Info-vax] VSI has released 9.2-1

Arne Vajhøj arne at vajhoej.dk
Mon Jun 19 20:02:15 EDT 2023 

On 6/19/2023 8:20 AM, Simon Clubley wrote:
> On 2023-06-16, Arne Vajhøj <arne at vajhoej.dk> wrote:
>> On 6/16/2023 8:21 AM, Simon Clubley wrote:
>>> On 2023-06-15, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>>> Lots of useful stuff (I don't get the entropy thing - sure it is
>>>> important, but there are many other things more important IMHO).
>>>
>>> The entropy stuff is a critical part of getting "the world's most
>>> secure operating system" actually back up the standards of modern
>>> operating systems. Before this, random number generation on VMS
>>> was hopeless from a security point of view.
>>>
>>> It's also vital that it's in x86-64 VMS _before_ the first commercial
>>> releases so that software that should be using it can rely on it actually
>>> being present so it does get used in code.
>>>
>>> The amount of effort that VSI are spending on this, at this point in time,
>>> is well justified.
>>
>> How many more VMS licenses will VSI sell because of that feature?
>>
>> My guess: zero.
> 
> This is not about selling new systems. This is about being a part of
> work to make sure that existing sites don't get forced to move away
> from VMS because VMS no longer meets the industry standard security standards.
> 
> You can have a nice piece of software running on VMS, but that's no
> good unless those VMS systems are secure by modern standards. VMS systems
> _WILL_ be dropped in many areas if they are regarded as no longer being
> secure by today's standards.

Which security standards mandate direct support for entropy generation
in the OS?

>> The OpenSSL maintainers may be happy that they get better entropy
>> with less code.
> 
> Replace "better entropy" with "now-acceptable entropy".

Who is saying that current OpenSSL way is no longer acceptable?

>                                                      The new entropy
> engine running within the kernel offers a brand-new capability for VMS
> that is considered to be standard elsewhere.
> 
> To put this another way, the previous solutions for generating entropy
> within user mode that I am aware of were not suitable by today's standards.

So you say.

I would really like to get some sources.

> Look at previous discussions here about trying to find sources to get
> a bit more entropy while running in user mode.

The topic has been discussed.

And the maintainer of the OpenSSL VMS code has indeed asked
some questions.

But I do not remember him saying that the current code was
not acceptable.

 > Maybe I am seeing something here you are missing ?

Possible. I miss a lot of things. So just post links
to the standards, best practice documents etc. specifying
the need for direct OS entropy.

Arne

More information about the Info-vax mailing list