Hiya, On 9 May 2013, at 18:11, Jim Klimov <jimkli...@cos.ru> wrote:
> On 2013-05-09 17:51, Googlemail: Dave Walker wrote: >> Now, there are good reasons not to use this in practice in a Trusted >> Extensions environment - all involving the fact that Google Voice is an >> untrusted, not protectively marked service - but for other contexts, I can >> imagine it being useful, with improved recognition (probably on newer and >> higher-end devices). I haven't upgraded to the new SRS 5.4 yet, but wouldn't >> expect it to have much bearing on how well this works. > > I'd suspect that really trusted implementations need a trust-certified > stack - including user and server hardware, OS, application software, > networking components (or certified VPN between trusted hosts), etc. > While I guess SRSS running on Sun Rays and Oracle HW/OS Servers might > provide that level of paper protection against regulation enforcements > if that's required (usually is the reason for Trusted stuff), you need > to be careful about using any other pieces in the puzzle (check that > they comply) - the solution might lose its trusted-stack status due > to weak links in the chain. Likely, a random consumer phone/tablet > won't be acceptable; some "military/law-enforcement editions" might be. You're right, of course, Jim; in OVDC terms, I use my iPad as a handy-to-carry demo device which hooks up to an Internet-connected demo server I run, as most people I talk to haven't seen Trusted Extensions before (or anything remotely resembling it). OVDC for Android changes the rules somewhat, though; bearing in mind that GD Mercury clients ran an embedded Linux (as did some of the Gobis) with a pre-OVDC "Soft Ray" on top and got into approved environments, an Android image could potentially be stripped of the capability to load or run anything other than OVDC, and stood up for approval. The main issue from there, is the wireless comms; an Android device would have to have its own wireless capabilities taken out, and it would probably be easier to build a new one with just a wired network connection. In terms of where that wired network connection would go, testing of Sun Rays a few years back with a range of approved line encryptors showed that different units behaved very differently in terms of throughput, when fed a diet of lots of small packets such as comprises typical Sun Ray traffic; it was found that the EADS (now Cassidian) Ectocryp Blue fared best, but things will have moved on since then and a re-test would be justified. Cassidian now have Ectocryp Yellow competing with TRL's mini-CATAPAN as readily-portable / mobile line encryptors approved for High Grade, so feed the output of one of these into wireless, and things are only going to get more interesting :-). Cheers, -- Dave Walker Labelled Security Limited Tel: +44 780 3079264 Twitter: @labeledsecurity http://www.labelledsecurity.co.uk/slides Labelled Security Limited is registered in England and Wales, No. 7666489 ; VAT 114 6198 23 Registered Office: 1 Andromeda House, Calleva Park, Aldermaston, Berkshire, RG7 8AP _______________________________________________ SunRay-Users mailing list SunRay-Users@filibeto.org http://www.filibeto.org/mailman/listinfo/sunray-users