[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

C2 vs Common Criteria [was: RE: Is this mail list dead?]

To: "'securedistros@nl.linux.org'" <securedistros@nl.linux.org>
Subject: C2 vs Common Criteria [was: RE: Is this mail list dead?]
From: "Dowd, Alan" <alan_dowd@securecomputing.com>
Date: Fri, 16 Mar 2001 09:29:39 -0600
Reply-To: securedistros@nl.linux.org
Sender: owner-securedistros@nl.linux.org

Title: C2 vs Common Criteria [was: RE: Is this mail list dead?]

Folks,

Let's get one thing clear -- C2 is dead! This was a designation for a combination of security features and development assurance processes that were put forth in the Orange Book (DOD 5200.28-STD) in 1983. It is history!

The current international standard for security functionality and development assurance is the Common Criteria v 2.1. This is a much different beast and a much different certification process. The basic documentation for the security specifications, assurance measures, and certification methodology runs to 1000+ pages. There are vendors who provide courses just to teach novices how to READ the specs. For comparison, the entire specification of C2 (Controlled access protection) runs to 3 pages in the December 1985 edition of the Orange Book.

By its very nature, the open Linux we all know cannot be certified under the Common Criteria -- the CC requires just too much formalized product management. At best, a distribution vendor such as Mandrake could produce a relatively frozen distribution that could be certified. But this would require that the end user not modify the evaluated code base if s/he wanted to preserve the evaluated rating.

For more information about the Common Criteria, point your browser at the web site(s) for the U.S. Scheme (oversight agency) at:

        http://niap.nist.gov/ (NIAP)
        http://csrc.nist.gov/cc/ (NIST)
        http://www.radium.ncsc.mil/tpep/ (NSA)

For information about U.S. sponsored Protection Profiles, point your browser at:

http://www.iatf.net/protection_profiles/profiles.cfm

Please excuse the US-centric nature of the links; this is where I work and these are the links I use. And, yes, I have performed development and evaluation of products using both the Rainbow Series (Orange Book, C2) and Common Criteria.

Regards,
Al Dowd (who still has his complete set of the Rainbow Series)

> -----Original Message-----
> From: Rik van Riel [mailto:riel@conectiva.com.br]
> Sent: Friday, March 16, 2001 6:31 AM
> To: securedistros@nl.linux.org
> Subject: Re: Is this mail list dead?
>
>
> On Thu, 15 Mar 2001, Casey Schaufler wrote:
>
> > > I mean, supposing
> > > everything is in place and it's just a bureocratic-thing
> that is missing,
> > > what would it cost to have this compliance tested?
> >
> > Not everything's in place yet. On the other hand, it's not
> > too far off.
>
> If the C2 stuff isn't too intrusive, maybe we could even
> try to convince Linus to get the (few?) kernel parts of it
> into the kernel...
>
> Rik
> --

Follow-Ups:
- Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: Casey Schaufler <casey@sgi.com>
- Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: Pedro Rosa <Pedro.Rosa@ksu.ru>

Prev by Date: Re: Is this mail list dead?
Next by Date: Re: Is this mail list dead?
Prev by thread: auth 8ed82802 subscribe securedistros edstephan@home.com
Next by thread: Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
Index(es):
- Date
- Thread