[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]

To: securedistros@nl.linux.org
Subject: Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
From: Rick Smith at Secure Computing <rick_smith@securecomputing.com>
Date: Mon, 19 Mar 2001 09:26:50 -0600
In-Reply-To: <3AB2CC4A.511D4BE9@wirex.com>
References: <A77BEC1A2E6ED4118DD7006008C18DB873890A@stpntmx03.sctc.com><3AB295EB.9000209@ksu.ru><3AB2BF40.C56E1F39@sgi.com>
Reply-To: securedistros@nl.linux.org
Sender: owner-securedistros@nl.linux.org

At 08:30 PM 3/16/01, Crispin Cowan wrote:

>Secure:  system architected such that only proper presentation of 
>authentication
>and authorization credentials permits access, and forging said credentials
>requires solving intractable problems (e.g. factoring 1000 bit primes).

I love this definition, but I'm skeptical about its usefulness. I think at 
most it permits the construction of toy systems. Once an OS exceeds a 
certain bulk, it becomes impossible to reliably assert that access depends 
solely on solving intractable problems.

>Apparently Secure:  no method is *known* to allow an attacker to violate
>security.  Obscurity makes it hard to find such means to violate security, so
>obscurity enhances Apparent Security(tm:-)

I believe this is the best security we see in large scale systems. A really 
good system combines hard-to-crack technologies in a compelling 
architecture, and the actual implementation manages to stand up to a lot of 
hard use.

>Trusted:  no method is known to allow an attacker to violate security, and 
>some
>fairly qualified people have looked really hard, and documented the places 
>they
>looked.
>"Trusted", as in, "some folks trust this thing because they checked it out 
>real
>good." :-)

Hopefully they not only looked, but also took sharp knives and slashed at 
it a lot.

And don't forget this one:

Evaluated: the vendor jumped through an expensive, government endorsed 
series of hoops. It usually indicates that someone has poked it real hard 
with a stick, and occasionally indicates even more. Of course it doesn't 
guarantee a lack of security flaws.

Personally, I'm of two minds regarding security evaluations:

On the one hand, I like the idea of having third party standards that 
systems must comply with in order to demonstrate fitness for a tough job.

On the other hand, evaluations don't seem cost effective for their typical 
use, which is to provide a standardized, concise, and well understood input 
to security accreditation decisions.  The accreditation process involves a 
bunch of security re-testing anyway, since the "real system" uses the 
evaluated device as a mere component. I think the real value isn't in the 
"EAL 4" stamp, but in the evaluation evidence, which describes what the 
thing is really up to. But maybe the value is that the evaluation process 
at least ensures that the assurance data is collected in a somewhat 
accessible format.

Rick.
smith@securecomputing.com

-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/

Follow-Ups:
- Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: Pedro Rosa <Pedro.Rosa@ksu.ru>
- Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: Crispin Cowan <crispin@wirex.com>

References:
- C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: "Dowd, Alan" <alan_dowd@securecomputing.com>
- Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: Pedro Rosa <Pedro.Rosa@ksu.ru>
- Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: LA Walsh <law@sgi.com>
- Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: Crispin Cowan <crispin@wirex.com>

Prev by Date: Re: Is this mail list dead?
Next by Date: Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
Prev by thread: Re: nsa code ?
Next by thread: Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
Index(es):
- Date
- Thread