Linux Today: Linux News On Internet Time.

Security information for dollars?

Feb 01, 2001, 21:19 (9 Talkback[s])
(Other stories by Paul Vixie)
Date: Wed, 31 Jan 2001 18:02:48 -0700
From: Theo de Raadt deraadt@CVS.OPENBSD.ORG
Subject: Security information for dollars?

What does the community think of this change in direction?

(Myself, I think it is a terrible idea to charge money for security
information access, and that closing BIND up like this is also going
to be harmful)


To: bind-announce@isc.org
Subject: PRE-ANNOUNCEMENT: BIND-Members Forum
Date: Wed, 31 Jan 2001 09:36:02 -0800
From: Paul A Vixie <Paul_Vixie@isc.org>
X-Approved-By: Ruth.Anne.Ladue@nominum.com
X-original-sender: Paul_Vixie@ISC.Org
X-List-ID: <bind-announce.isc.org>
X-DCC-MAPS-Metrics: isrv3.isc.org 668; IP=0/633557 env_From=0/3494
        From=0/3451 Subject=0/3451 Message-ID=0/3453 Received=0/3453
        Body=0/3451 Fuz1=0/3451

ISC has historically depended upon the "bind-workers" mailing list, and
CERT advisories, to notify vendors of potential or actual security flaws
in its BIND package.  Recent events have very clearly shown that there is
a need for a fee-based membership forum consisting only of:

        1. ISC itself
        2. Vendors who include BIND in their products
        3. Root and TLD name server operators
        4. Other qualified parties (at ISC's discretion)

Requirements of bind-members will be:

        1. Not-for-profit members can have their fees waived
        2. Use of PGP (or possibly S/MIME) will be mandatory
        3. Members will receive information security training
        4. Members will sign strong nondisclosure agreements

Features and benefits of "bind-members" status will include:

        1. Private access to the CVS pool where bind4, bind8 and bind9 live
        2. Reception of early warnings of security or other important flaws
        3. Periodic in-person meetings, probably at IETF's conference sites
        4. Participation on the bind-members mailing list

If you are a BIND vendor, root or TLD server operator, or other interested
party, I urge you to seek management approval for entry into this forum, and
then either contact, or have a responsible party contact, isc-info@isc.org.

Paul Vixie