[LINK] RFC: Government mandates Open Document Format?

Glen Turner gdt at gdt.id.au
Sun Jun 2 20:06:42 AEST 2013 

SUMMARY

There is no exemption based on choice of operating system. Thus DFaD should ensure that their recommendations are reasonable for non-Windows desktops and laptops. The document fails to do this, strongly suggesting that the authors lack sufficient knowledge of MacOS, iOS, Linux and Android.

DETAIL

> The email client must support the POP3, POP3S, IMAP, IMAPS, SMTP and SMTPS protocols.

So the requirement is for protocols which send passwords in plain text?  And why require POP support to fetch e-mail from server to desktop when most organisations would rather keep mail on the server? SMTPS is deprecated, SMTP with STARTTLS authentication on the Submission port is preferred.

Would be better worded as:
 - mail servers MUST allow mailbox access via IMAPS
 - mail servers MAY allow IMAP but in this case authentication MUS use STARTTLS.
 - mail exchangers MUST allow SMTP on the submission port with STARTTLS authentication
 - the certificates for mail servers and mail exchanges and their clients SHOULD be issued by the organisation's PKI, as this limits door knocking attacks to computers controlled by the organisation.

> The email client MUST support shared calendars

Is an interesting requirement, considering that every vendor except one runs calendaring as an non-mail application.

> …firewall client must be able to change its configuration automatically based on location
.
Poorly worded. If this happened as written it wouldn't give the desired result.

> The host-based intrusion prevention client must automatically and transparently report scanning results
.
"Transparently" meaning what?

> The application whitelisting client should use hashes of approved executables,
> and if possible approved DLLs, rather than approved directories

Doesn't allow file labelling, as used by most multilevel security schemes (Linux's SELinux, Solaris's Bell-Padua implementation, etc)

> The codec pack..the MPEG  4 part 2 standard
> The codec pack … Audio Layer 3 standard

Non-free codecs. Why?

> The 64 bit (X64) version of the operating system must be used

So no ARM CPUs. Better wording would be to forbid operating systems built for IA32.

> Caching of domain credentials should be disabled.

I know what they are trying to say, but they need to be more explicit otherwise it will disallow server-side caching which means that laptops will need passwords independent of the organisations' main password store.

> Hardware must support 64bit operating systems

Again, no ARM.

> Hardware must support Wake-on-LAN functionality.

They want to do this to apply security patches, but the feature itself is a fine security hole for laptops. There is a tradeoff so the recommendation's MUST is too severe.

> To support the goal of agencies being able share services, the packaging of software
> should be managed so an application can be packaged once and reused many times.
> Agencies should look to use application virtualisation to achieve this.

Agencies SHOULD is poor, as it penalises operating systems with reasonable software inventory and configuration management. The strategy proposed really only fixes an issue endemic to one operating system which lacks effective package and configuration management.

> The use of centralised logging does not preclude the logs also remaining resident on
> their local systems.

Logs contain sensitive data and should be nowhere near the computer being logged. The reason for this exemption isn't explored.


-glen

More information about the Link mailing list