Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]

[Pedro Rosa <Pedro.Rosa@ksu.ru>]

Rick Smith at Secure Computing wrote:

> At 08:30 PM 3/16/01, Crispin Cowan wrote:
> 
>> Secure:  system architected such that only proper presentation of 
>> authentication
>> and authorization credentials permits access, and forging said 
>> credentials
>> requires solving intractable problems (e.g. factoring 1000 bit primes).
> 
> 
> I love this definition, but I'm skeptical about its usefulness. I 
> think at most it permits the construction of toy systems. Once an OS 
> exceeds a certain bulk, it becomes impossible to reliably assert that 
> access depends solely on solving intractable problems. 

Hmmm. Several such "toys" of today were once a decisive tool to win 
wars, diplomatic gamblings or political fights. In fact a "puzzle" 
system can be quite powerful if it's complex enough for the present 
technology. At least there is one point were a puzzle system may be 
quite useful - when you have a chance to observe the attempts to solve 
it. Not only the attempt is a siginificative piece of information as 
also the level of effort to solve the puzzle may inform what level of 
interest someone may set in the break-in attempt.

> Hopefully they not only looked, but also took sharp knives and slashed 
> at  it a lot.
> 
> And don't forget this one:
> 
> Evaluated: the vendor jumped through an expensive, government endorsed 
> series of hoops. It usually indicates that someone has poked it real 
> hard with a stick, and occasionally indicates even more. Of course it 
> doesn't guarantee a lack of security flaws. 

IF a governement is interested in such a thing...  Let's note that many 
countries really don't care too much about computer security. So the 
"evaluated" level can be seriously questionable. The case of a foreign 
government certification can be significative but we should also note 
that many companies create national and international versions of their 
products.

In fact, even inside one country, one may fall into this case. One 
product is evaluated and certified but it is "handicapped" for massive 
consume. However ads still claim "military grade" security or similar.

> 
> 
> Personally, I'm of two minds regarding security evaluations:
> 
> On the one hand, I like the idea of having third party standards that 
> systems must comply with in order to demonstrate fitness for a tough job.
> 
> On the other hand, evaluations don't seem cost effective for their 
> typical use, which is to provide a standardized, concise, and well 
> understood input to security accreditation decisions.  The 
> accreditation process involves a bunch of security re-testing anyway, 
> since the "real system" uses the evaluated device as a mere component. 
> I think the real value isn't in the "EAL 4" stamp, but in the 
> evaluation evidence, which describes what the thing is really up to. 
> But maybe the value is that the evaluation process at least ensures 
> that the assurance data is collected in a somewhat accessible format.

Well, in this case, I think one should consider avoiding taking popular 
mass-consume distros into a security bandwagon and concentrate on 
specific organisations/companies with a very good specialization on 
security. That would give a more solid status to the real product. In 
fact such groups could concentrate evaluations on their own distros 
which, I think, it would give a better approach to what their "real 
thingies' offer.

> 
> Rick.
> smith@securecomputing.com

Ektanoor

> 


-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/