[Bp_certs] About types of CERTs

Patrik Fältström paf at frobbit.se
Thu Jul 31 03:25:31 EDT 2014 

On 31 jul 2014, at 08:43, Damir Rajnovic <gausix at gmail.com> wrote:

> I would say that government of a particular country designate
> who is the national CERT. The government would simply point
> to a team and say "you are national CERT" and give them their
> marching orders. The government would then define who would be 
> constituency and what services the national team would provide.
> 
> Simply as that - they are created by fiat.

I think the point is that regardless of whether this happens or not, if the "local community" do not trust the CERT or otherwise do believe they do a good job, various parties will not share information with them. Simply because of lack of trust.

This is why I say simply that when the cert is defined, the products/services the CERT produces, and the customers/constituency, then it is up to the constituency to decide whether the CERT is to continue to operate. Only if the customers/constituency do believe they save time and energy by sharing information with the CERT (by getting things back) information will be shared.

A CERT will never longer term survive by forcing or mandating people to give information to the CERT.

And because of that, in many cases each country do not need a CERT for pure operational reasons for ISPs. Specifically in the cases where the ISPs cover more than one country (like in areas of the planet like Europe that have many countries).

Because of that, CERTs might not have as a goal to be a CERT for ISPs? Maybe they should be a help for for example public services and governmental agencies?

I.e. it all have to do with matching "the needs within the constituencies" with "products/services produced by the CERT".

If that matches, then the CERT is successful!

And exactly what and how the match is done varies -- a lot -- between the well functioning CERTS that exists in the world.

Some of the more questionable CERTS I have met (I have never really worked for one, but interact with many) could not even answer the question: "What services do you provide for whom?".

That is for me a start. That each CERT define what they do. Then in 2nd step they demonstrate they do it well.


Now, where in this does the "national CERT" fit in? In some cases it has to do with the CERT be the agency that have special protection by legislation (so that IF you give information to the CERT it does not end up being "open data"). In others that the providers of public e-services must report issues and incidents to them, in others that they directly get peers in other countries (regardless of what products they provide), in others...well, "it all depends".


One help for CERTs to be created I think is to create a list of _possible_ services a CERT can provide, and then for each one of these services a list of information and otherwise needs that exists to be able to provide that service. Then new CERTs can pick from that list of services, and they should be recommended to start by picking very very few, but become darn good at them. Because, once again, the importance is that no one else provide those services for the local community.

   Patrik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://intgovforum.org/pipermail/bp_certs_intgovforum.org/attachments/20140731/e2da4ea8/attachment.sig>

More information about the Bp_certs mailing list