Re: DOD 5200.28-STD capable OS?

From: Daniel Faigin (faigin@pacificnet.net)
Date: 02/07/03


From: Daniel Faigin <faigin@pacificnet.net>
Date: Fri, 07 Feb 2003 12:36:37 -0800

On Fri, 07 Feb 2003 08:49:47 -0800, Casey Schaufler <casey@sgi.com>
wrote:

>In today's world, that is the Common Criteria, there aren't many
>system yet available. Of course, the best ones come from SGI.
>Our Irix system (the basic U2X OS) is CAPP (replaces C2) evaluated
>and our Trusted Irix (Trix to it's friends) system is LSPP (B1)
>evaluated.

I wonder why Casey says this :-)

There are numerous CAPP systems out there, either evaluated by the US
other other signatory nations to the MRA. For example, Win 2K,
Solaris, etc. Before you use these systems, you should carefully read
the Security Target and note the assumptions.

>B2 and above still lies in the realm of too expensive to
>seriously consider, which is a shame. I'd personally love
>to attack the issues.

The main reason you are not seeing "B2 and above" is that the
evaluation methodology has not been defined for EAL5 and above. Thus,
there is no mutually accepted way to evaluate these things. However,
even with that, I'm aware of efforts by Getronics (nee Wang Federal
nee HFSI nee Honeywell) to evaluate a high-assurance XTS-400 OS, which
would have a Linux-compatible interface.

Daniel

W/H: faigin@pacificnet.net http://www.pacificnet.net/~faigin/
Mod., Mail.Liberal-Judaism (www.mljewish.org) Advisor, s.c.j.Parenting
Maintainer, S.C.J FAQ/RL (www.scjfaq.org) Daddy to Erin Shoshana
Maintainer, Calif. Highways List (www.cahighways.org)
Webmaven, Temple Beth Torah of Granada Hills (www.bethtorah-sfv.org)