[Bp_certs] About types of CERTs
Patrik Fältström
paf at frobbit.se
Wed Jul 16 16:25:20 EDT 2014
My personal view, after looking at a few "failed" CERT initiatives is that whether a cert is successful or not depends completely (like any business) on whether external parties from the cert do believe the cert deliver whatever the cert is supposed to deliver.
I.e. number one recommendation from me is always that the cert is defining what "products" the cert is producing. What is the cert doing? What is it delivering to what customers?
Given that certain products are to be delivered, the cert need information. Only if the cert manage to gain trust (that they will deliver whatever they are to deliver) external parties (peers) will start to give them information.
So, to conclude:
1. Define what the cert role in the community is
2. Define what services / products the cert produce
3. Convince peers (2) is doable
4. Deliver (1) and (2)
5. Get data that make delivery easier
6. By doing (4) gain more trust, and get more data (5), and continue a positive continuation
Forcing people to work with a (national) cert will not work. If people have problems, they will, my view, primarily talk with their vendor and the vendor support mechanism, which often is part of the cert structure.
I.e. people talk with "national cert" if it helps them. Not if they are forced to.
Patrik
More information about the Bp_certs
mailing list