Re: [RFC][PATCH 0/11] security: AppArmor - Overview

[Theodore Ts'o]

On Tue, Apr 25, 2006 at 03:50:00AM -0400, James Morris wrote:
> To make a rough analogy (as Ted mentioned his IETF work earlier...): 
> 
> The fundamental mechanisms of IPsec are sound.  It has taken many, many 
> years to get it to this stage, despite claims of it being "too 
> complicated".  In that time, several "simple" protocols were designed and 
> implemented to address the "complexity" issues, but it turns out, after 
> all, that with the right level of abstraction and tools, IPsec is not too 
> complicated to be secure or to use: by the obvious example of both its 
> widespread adoption and, afaik, no systemic security failures.

And yet, many people use SSH and TLS, and it is more than sufficient
for their needs.  Despite being very involved with the development of
IPSec, and Kerberos, there are plenty of times when I will tell people
to *not* use those technologies because they are *just* *too*
*complicated*.

Choice is good.

SELinux should not be the only way to do things.

						- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/