From owner-freebsd-security Fri Mar 12 7:43:41 1999 Delivered-To: freebsd-security@freebsd.org Received: from trump.amber.org (trump.amber.org [209.31.146.82]) by hub.freebsd.org (Postfix) with ESMTP id B8F2615449 for ; Fri, 12 Mar 1999 07:43:39 -0800 (PST) (envelope-from petrilli@amber.org) Received: by trump.amber.org (Postfix, from userid 1000) id 2055D18603; Fri, 12 Mar 1999 10:43:38 -0500 (EST) Message-ID: <19990312104338.C2762@amber.org> Date: Fri, 12 Mar 1999 10:43:38 -0500 From: Christopher Petrilli To: freebsd-security@FreeBSD.ORG Subject: Re: disapointing security architecture References: <199903120628.WAA73182@apollo.backplane.com> <19990312162147.C22324@unicorn.quux.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19990312162147.C22324@unicorn.quux.org>; from The Unicorn on Fri, Mar 12, 1999 at 04:21:47PM +0100 X-Disclaimer: I hardly speak for myself, muchless anyone else. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Mar 12, 1999 at 04:21:47PM +0100, The Unicorn wrote: > > You are referring to the Orange Book, published by the U.S. Department > of Defense. Also known as Trusted Computer Systems Evaluation Criteria > (TCSEC), CSC-STD-001-S3, 1983. Part of the rainbow series. As far as I > know these are still available online. Check out: When I get home I'll post the information, but you can call the NSA and they will send you a set for free :-) I've got mine, don't you have yours? ;-) > Absolutely, but beware... Things got rather nasty when M$ announced that > NT was C2 compliant (but only when networking was disabled :-). If I > remember correctly this kind of certification is not only dependend on > system software, but also on the hardware used during the certification. > Therefor C2 certification on PC hardware may not really be what we are > looking for... Then again I could be remembering incorrectly. Acutally, there's some discussion in the gov't world about filing a lawsuit about misrepresentation oer this one... they continue to claim NT is "C2 certified" when in fact, it's not... and it's especially not with a floppy or a network card installed. It's pushed against the Orangle Book standards, not the Red Book (Network INterpretation). Honestly, however, it's important to understand that this is not where things are going. The Common Criteria are where things are going, and these look a lot like the UK-based ITSEC standards, in that they are more focused and allow different parts of the OS to meet different standards---mix and match as it were. The biggest problem with certification is that 1) it requires a HUGE HUGE HUGE amount of documentation, 2) it requires someone to "own" the product in ordetr to be responsible for problems, 3) it requires a good bit of money. Not that I think this is a bad idea, but this is probably something for FreeBSD4, no earlier definately... in fact, it could take 2 years to get everything certified, if you move quickly :-) Chris -- | Christopher Petrilli ``Television is bubble-gum for | petrilli@amber.org the mind.''-Frank Lloyd Wright To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message