<br><br><div><span class="gmail_quote">On 10/8/05, <b class="gmail_sendername">Paul</b> <<a href="mailto:digium-list@9ux.com">digium-list@9ux.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Mike M wrote:<br><br>>On Fri, Oct 07, 2005 at 09:45:53PM -0400, Paul wrote:<br>><br>><br>>>Also consider that there are situations where 100% open source is never<br>>>allowed. Check out visa/mastercard processor certification for a good
<br>>>example. Digium dual licensing availability means I could actually stand<br>>>a chance of using asterisk as the basis for systems used by military and<br>>>law enforcement in applications that require extremely high security.
<br>>><br>>><br>><br>>There is a popular vendor of closed source products whose security has been<br>>compromised often. The security of OpenSSH is well established.<br>><br>>Reading this list iwe learn that the open source version of Asterisk is
<br>>currently being used by military personnel.<br>><br>>Asterisk offers ways for users to implement eavesdropping applications which<br>>undermines the goal of attaining extremely high security.<br>><br>>Open source is for sharing if that's feasible and closed source is not.
<br>>Dual licensing is for both.<br>><br>><br>><br>My point was not to argue that closed source enhances security. I was<br>just pointing out that there are situations where the customer will not<br>accept open source.
<br><br>Credit card processing would be a good example. You could design *-based<br>systems for both the client(merchant) and server(processor) functions<br>but last I knew visa/mc would not certify open source solutions.
<br></blockquote></div><br>
Off topic but wanted to correct this.. Its not the software that
has to be certified, it's the merchant (or payment processor). Ya
you can pay a security auditor to look at your software and say that
it's compliant, but it doesn't really mean anything. If you are a
qualifying merchant or payment processor you would still have to go
through the complete audit even if you used 'certified'
software. Also, as a merchant you either have to go
through the full audit yourself, or use a certified payment
gateway. You cannot for example use 'certified' software as a
merchant and connect directly to the bank networks without going
through the full audit yourself at an average cost of around $20,000.<br>
<br>
Chris <br>
<br>
<br>