[Info-vax] VSI has released 9.2-1

Dave Froble davef at tsoft-inc.com
Mon Jun 19 21:43:22 EDT 2023 

On 6/19/2023 8:02 PM, Arne Vajhøj wrote:
> On 6/19/2023 8:20 AM, Simon Clubley wrote:
>> On 2023-06-16, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>> On 6/16/2023 8:21 AM, Simon Clubley wrote:
>>>> On 2023-06-15, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>>>> Lots of useful stuff (I don't get the entropy thing - sure it is
>>>>> important, but there are many other things more important IMHO).
>>>>
>>>> The entropy stuff is a critical part of getting "the world's most
>>>> secure operating system" actually back up the standards of modern
>>>> operating systems. Before this, random number generation on VMS
>>>> was hopeless from a security point of view.
>>>>
>>>> It's also vital that it's in x86-64 VMS _before_ the first commercial
>>>> releases so that software that should be using it can rely on it actually
>>>> being present so it does get used in code.
>>>>
>>>> The amount of effort that VSI are spending on this, at this point in time,
>>>> is well justified.
>>>
>>> How many more VMS licenses will VSI sell because of that feature?
>>>
>>> My guess: zero.
>>
>> This is not about selling new systems. This is about being a part of
>> work to make sure that existing sites don't get forced to move away
>> from VMS because VMS no longer meets the industry standard security standards.
>>
>> You can have a nice piece of software running on VMS, but that's no
>> good unless those VMS systems are secure by modern standards. VMS systems
>> _WILL_ be dropped in many areas if they are regarded as no longer being
>> secure by today's standards.
>
> Which security standards mandate direct support for entropy generation
> in the OS?

Simon sez ...

:-)

>>> The OpenSSL maintainers may be happy that they get better entropy
>>> with less code.
>>
>> Replace "better entropy" with "now-acceptable entropy".
>
> Who is saying that current OpenSSL way is no longer acceptable?

Simon sez ...


>>                                                      The new entropy
>> engine running within the kernel offers a brand-new capability for VMS
>> that is considered to be standard elsewhere.
>>
>> To put this another way, the previous solutions for generating entropy
>> within user mode that I am aware of were not suitable by today's standards.
>
> So you say.
>
> I would really like to get some sources.
>
>> Look at previous discussions here about trying to find sources to get
>> a bit more entropy while running in user mode.
>
> The topic has been discussed.
>
> And the maintainer of the OpenSSL VMS code has indeed asked
> some questions.
>
> But I do not remember him saying that the current code was
> not acceptable.
>
>> Maybe I am seeing something here you are missing ?
>
> Possible. I miss a lot of things. So just post links
> to the standards, best practice documents etc. specifying
> the need for direct OS entropy.

People who count for encryption to provide protection don't really care all that 
much.  Do enough to check the appropriate box, then not their problem.

People who really care about security of course may use SSL, but then what 
happens when the encryption is broken?  The user's data is available to the 
hackers.  But what if the app developers insured that the data, if encryption is 
defeated, doesn't really mean anything to the hackers.  Some custom stuff in 
addition to SSL and such.  Yeah, even then, some hacker might figure out the 
data.  But isn't it better to make it as tough for the hacker as one can?

Now I'll hear from some "you got to use standards".  I'd ask "why?"  The problem 
with standards is, everybody knows them.


-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list