Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]

[Casey Schaufler <casey@sgi.com>]

> "Dowd, Alan" wrote:

> Let's get one thing clear -- C2 is dead!

Yes, but in lives on in the hearts of those of us
who have given of ourselves to make it's short life
meaningful.

The NSA has produced a Common Criteria Protection Profile,
the Controlled Access Protection Profile (CAPP) which
replaces C2. All US requirements for C2 have been replaced
by CAPP.

I'm old, and use C2 when I mean CAPP sometimes.

> By its very nature, the open Linux we all know cannot be certified
> under the Common Criteria -- the CC requires just too much formalized
> product management. At best, a distribution vendor such as Mandrake
> could produce a relatively frozen distribution that could be
> certified. But this would require that the end user not modify the
> evaluated code base if s/he wanted to preserve the evaluated rating.

Goodness gracious, that's an old whine. They said the
exact same thing about U2X in the early eighties. Sun
is still trying to convince people that "It's too hard!".
If God had meant us to compute securely, He'd have given
us more prime numbers!

> For more information about the Common Criteria, point your browser at
> the web site(s) for the U.S. Scheme (oversight agency) at:
> 
>         http://niap.nist.gov/ (NIAP)
>         http://csrc.nist.gov/cc/ (NIST)
>         http://www.radium.ncsc.mil/tpep/ (NSA)
> 
> For information about U.S. sponsored Protection Profiles, point your
> browser at:
> 
>         http://www.iatf.net/protection_profiles/profiles.cfm

I recommend all these links. Lots of fun, and good bedtime reading.

-- 

Casey Schaufler				Manager, Trust Technology, SGI
casey@sgi.com				voice: 650.933.1634
casey_p@pager.sgi.com			Pager: 888.220.0607
-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/