[Asterisk-Users] Re: www.openpbx.org

snacktime snacktime at gmail.com
Sat Oct 8 12:02:12 MST 2005


On 10/8/05, Paul <digium-list at 9ux.com> wrote:
>
> Mike M wrote:
>
> >On Fri, Oct 07, 2005 at 09:45:53PM -0400, Paul wrote:
> >
> >
> >>Also consider that there are situations where 100% open source is never
> >>allowed. Check out visa/mastercard processor certification for a good
> >>example. Digium dual licensing availability means I could actually stand
> >>a chance of using asterisk as the basis for systems used by military and
> >>law enforcement in applications that require extremely high security.
> >>
> >>
> >
> >There is a popular vendor of closed source products whose security has
> been
> >compromised often. The security of OpenSSH is well established.
> >
> >Reading this list iwe learn that the open source version of Asterisk is
> >currently being used by military personnel.
> >
> >Asterisk offers ways for users to implement eavesdropping applications
> which
> >undermines the goal of attaining extremely high security.
> >
> >Open source is for sharing if that's feasible and closed source is not.
> >Dual licensing is for both.
> >
> >
> >
> My point was not to argue that closed source enhances security. I was
> just pointing out that there are situations where the customer will not
> accept open source.
>
> Credit card processing would be a good example. You could design *-based
> systems for both the client(merchant) and server(processor) functions
> but last I knew visa/mc would not certify open source solutions.
>

Off topic but wanted to correct this.. Its not the software that has to be
certified, it's the merchant (or payment processor). Ya you can pay a
security auditor to look at your software and say that it's compliant, but
it doesn't really mean anything. If you are a qualifying merchant or payment
processor you would still have to go through the complete audit even if you
used 'certified' software. Also, as a merchant you either have to go through
the full audit yourself, or use a certified payment gateway. You cannot for
example use 'certified' software as a merchant and connect directly to the
bank networks without going through the full audit yourself at an average
cost of around $20,000.

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20051008/f2a345e6/attachment.htm


More information about the asterisk-users mailing list