[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]

To: securedistros@nl.linux.org
Subject: Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
From: Rick Smith at Secure Computing <rick_smith@securecomputing.com>
Date: Mon, 19 Mar 2001 14:50:24 -0600
In-Reply-To: <3AB657D5.8030309@ksu.ru>
References: <A77BEC1A2E6ED4118DD7006008C18DB873890A@stpntmx03.sctc.com><3AB295EB.9000209@ksu.ru><3AB2BF40.C56E1F39@sgi.com><4.3.2.7.0.20010319090330.00b3aec0@posey.sctc.com>
Reply-To: securedistros@nl.linux.org
Sender: owner-securedistros@nl.linux.org

I wrote:

>>I love this definition, but I'm skeptical about its usefulness. I think 
>>at most it permits the construction of toy systems. Once an OS exceeds a 
>>certain bulk, it becomes impossible to reliably assert that access 
>>depends solely on solving intractable problems.

At 01:02 PM 3/19/01, Pedro Rosa wrote:

>Hmmm. Several such "toys" of today were once a decisive tool to win wars, 
>diplomatic gamblings or political fights. In fact a "puzzle" system can be 
>quite powerful if it's complex enough for the present technology. At least 
>there is one point were a puzzle system may be quite useful - when you 
>have a chance to observe the attempts to solve it. Not only the attempt is 
>a siginificative piece of information as also the level of effort to solve 
>the puzzle may inform what level of interest someone may set in the 
>break-in attempt.

Back when William Crowell was still trying to argue Congress out of 
relaxing export controls, he said that the German WW II crypto technology 
was perfectly sufficient to develop uncrackable "puzzles" of the sort we're 
speaking of.

Yet they failed. The puzzles proved crackable in the real world even if 
their abstract design may have been uncrackable.

That's my point -- the strong mechanisms are only the first step, and you 
have numerous opportunities to render them worthless as the system evolves.

Regarding this comment:

>IF a governement is interested in such a thing...  Let's note that many 
>countries really don't care too much about computer security. So the 
>"evaluated" level can be seriously questionable. The case of a foreign 
>government certification can be significative but we should also note that 
>many companies create national and international versions of their products.

Would you be willing to identify some countries that perform CC evaluations 
but "don't care too much about computer security?" Are you referring to 
those Common Criteria nations who are in the reciprocity agreement with the 
US? I doubt that they take security much less seriously than the US. Hey, 
some of those governments *really* *enforce* the requirement that their 
government purchase evaluated products. Unlike the US.

Last fall at NISSC, several folks involved in US evaluations conveyed to me 
the belief that U.S. evaluations were the only "serious" evaluations, and 
that overseas evaluators just didn't do as good of a job. I chalked this up 
to Not Invented Here, fear of lower cost foreign labor, and a residual NSA 
fever about losing control.

If overseas evaluations are indeed 'weaker' I think it's more a question of 
their evaluation community having a more realistic understanding of 
commercial vendors, and more experience with cost-effective commercial 
certification processes. At least, that's the impression I got when 
comparing US and overseas (British) evaluation houses. I wrote it up in my 
NISSC paper last year.

In any case, if an overseas EAL 4 is really inferior to a US one, then 
remember: bad money *always* drives out the good. It's essential that 
everyone trade coin of the same value. Otherwise people are getting 
cheated, both the vendors who overpaid for a cheaper stamp and the 
customers who were misled into expecting more than the value really 
conveyed. If EAL 4 costs $200,000 more in the US, then US vendors are being 
cheated, especially if that means they must meet more stringent 
requirements than those applied overseas.

>In fact, even inside one country, one may fall into this case. One product 
>is evaluated and certified but it is "handicapped" for massive consume. 
>However ads still claim "military grade" security or similar.

Definitely true. If there exists a version of the product with the Security 
Stamp of Approval (whatever it is this week) then every version of that 
product gets a bit of tar from the same brush. It's like those car ads that 
show the sporty model with all the fixings, but quote the base price of the 
stripped down model. Read the fine print.

Rick.
smith@securecomputing.com

-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/

References:
- C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: "Dowd, Alan" <alan_dowd@securecomputing.com>
- Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: Pedro Rosa <Pedro.Rosa@ksu.ru>
- Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: LA Walsh <law@sgi.com>
- Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: Rick Smith at Secure Computing <rick_smith@securecomputing.com>
- Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
  - From: Pedro Rosa <Pedro.Rosa@ksu.ru>

Prev by Date: [SecureDistros] Does anyone uses extended attributes?
Next by Date: Re: Is this mail list dead?
Prev by thread: Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
Next by thread: Re: C2 vs Common Criteria [was: RE: Is this mail list dead?]
Index(es):
- Date
- Thread