Common Criteria?

[Jeff DeMello]

> > Jeff DeMello wrote:
> 
> > If I were producing a product to be evaluated the only logical choice is a CC evaluation.  Why?  It's not free anymore:  NSA doesn't perform free evaluations anymore, they are done by NSA licensed evaluation firms, such as Arca Systems, and you must pay for them!  If you had to pay for an evaluation, why not pay for a CC evaluation, and reap the benefits. 
> ---
> I don't think anyone's going to argue benefits.  You are coming from
> the 'I know better than you' place...which isn't real "user-friendly"
> regardless of its truth and accuracy.  I've known about Orange Book 
> reputationally for about 6 years.  I only heard of CC and CAPP/LSPP this
> year.  It's just that the older stuff is better known.  I think anyone
> knowing about CC would go for that so why come down so harsh and all "you're
> so dumb for implementing B1" when its simply about education.  You might
> ask if anyone knows about CC before coming out full guns of why it is
> better -- everyone would likely agree with you up front.

I'm sorry about the un-user-friendly approach.  It's just very frustrating to me that the world is still stuck in the Orange Book rut, when it has been acknowledged by pretty much everyone in the government and commercial security community that B1 is dead.  That is not a glib statement on my part, just a one-sentence summary of my experience of the last n years of dealing with this issue, and by interactions with representatives of NSA and CESG (UK's version of NSA).

I don't think anyone is "dumb about implementing B1", but, just as you say, uninformed.  My concerns are very pointed though, and that's due to the concern I have that a lot of effort is being expended in the " TBSD B1" area, when it might not be appropriate (I'm holding off saying "waste of time", as that might be inflamatory ;-) to e-business requirements.  I'm offering my experience (and I tend to offer it a bit harshly sometimes, sorry :-) to raise awareness that "B1" might not be the answer for e-commerce (it isn't) or even for domain separation (it isn't).  

The CC has been around for over 6 years.  I first participated in the first industry working group for it in Ottawa just about 5 years ago.  The criteria and mutual recognition between the countries was signed at the NISSC conference in Baltimore 1.5 years ago, so it is relatively "new".  It was just accepted as an ISO standard last year.  It has not been very well advertised by NSA, for whatever reasons (probably budget!).  If the market for TBSD is "the world", rather than "the US government market", the CC is the answer, not TCSEC.  Also, if the market for TBSD is "e-commerce", then "B1" is not the answer (reasons previously stated, and below).


>  I love your
> experience profile -- you wouldn't be interested in working at SGI to
> get up a CAPP/LSPP cert'ed modular security system that could be used
> on Linux or BSD systems, would you?  :-)
 
Thank you ... e-mail / call me!


> 
> 
> What are the benefits:  Products evaluated under the CC are formally mutually recognized in the United States, Canada, France, Germany, the United Kingdom, Australia, New Zealand, Finland, Italy, Norway, Netherlands, Sweden, Switzerland, and informally elsewhere.
> ---
> The latest mutual recognition documents I've seen have only included
> 6 countries.  The UK, France, Netherlands, Canada, Germany and the US.  Could
> you point me to a document on the 'commoncriteria.org' or the 
> www.radium.ncsc.mil documentation site documenting the other countries?  I
> don't want to requote you w/o being able to cite an original source.

The source of my information was http://www.itsec.gov.uk/ , click on the "More Information" button on the left, click on the "Security Evaluation and Criteria" bullet item.  The list of mutually recognized countries is under the "Common Criteria" heading.  Unfortunately, to get the "big CC picture" you must look beyond the radium.nscs server.  (Not to be too political, but it is a very competitive evaluation environment - few evaluations & lots of evaluators, and NCSC is looking after #1! :-)



> > > Given that currently the TrustedBSD project does not have much in
> > > the way of funding and support, evaluation is not being planned for,
> > > although it is being designed and documented with that in mind.  Now would
> > > be the time to retarget evaluation criteria, if necessary.
> > Given my statements above, I still have the question.  Why is Trusted BSD being designed and documented with the Orange Book in mind?  
> ---
> Because maybe everyone hasn't been in the security field as long
> as you have.  Come on, remember what it was like when you started?  Did you
> know all the sources, all the resources?  Etc.  

Yes I remember ... the Orange Book was just published!  :-)   Ahhh, the good ol' days!



> > END SOAPBOX   ;-)
> > 
> > I hope that helps!
> ---
> Woulda been better w/o the soap...I have bubbles in my mouth.
> 
> BTW, minor nit...you said "certificates are mutually recognized by those
> countries up the the EAL4 assurance level (which is about the same level of assurance required of B1)".  B1 equivalent, LSPP, actually requires a Evaluation
> Assurance Level of '3' as does the C2 equivalent (CAPP).  

Another one of my experiences:  The LSPP and the CAPP were brought to you by the same people who brought you the Orange Book ... NSA.  They are a translation of the C2 and B1 requirements in to "CC-ese".  Just because it's a "Certified Protection Profile", IMHO, it doesn't mean (not to sound inflamatory, sorry) but "squat".  I've had extensive discussions with NSA, GCHQ, and many commercial companies about this.  If "B1" and "C2" requirements aren't valid requirements for the government (or any) market, then translating them to "CC-ese" doesn't change the fact that they aren't valid.  Again, on my soapbox, translating the C2 and B1 requirements into CC language was a great academic exercise, and having them evaluated by the same agency that producted them is interesting in itself, however they are not valid business requirements.  Why?

The following paragraph is reality, it might not sound politically correct but here it is:

There is NO government agency that has ever mandated C2 as an agency wide business requirement.  There is NO government agency that has ever mandated B1 as an agency wide business requirement.  Indivdual programs within some agencies have mandated C2 or B1, but as I have stated before, by my experieces are usually waived or "adjusted" somehow.  As far as I know, and correct me if I'm wrong, there is NO (U.S.) government agency that has mandated CAPP or LSPP.

Which leads me back to: "why build it if noone requires it".  

I do, however, think there are a set of e-commerce / i-business security requirements that might be addressed by TBSD that would make TBSD extreamly valuable to the "secure OS" market.  And by "secure OS" I don't mean B1, I mean "an operating system that provides a greater amount of security functionality with better-than-vendor-assurance-claims".



> You can find the latest LSPP and CAPP documents on www.radium.ncsc.mil
> under the computer eval part, Protection Profiles.

Thanks ... I submitted my comments on them in their pre-version 1.0 state!  A lot of them were incorporated!


> I have a 25 page regurgitation of the EAL3 requirements needed
> for LSPP and CAPP if anyone is interested.  I could save it as HTML --
> It is *purely* for my own edification to more fully understand the requirements
> and should be viewed as such.  I'm still working on a useful regurgitation
> of the CAPP functional specs -- I likely won't be doing LSPP for a while
> unless I get *real* motivated, since our first priority is just meeting 
> CAPP.  

If you (or anyone) want's to chat, please call me at 650-941-8224 (I'm in Los Altos, CA) ... it's always better in real time with a real voice!

-jeff-


> -- 
> Linda A Walsh                    | Trust Technology, Core Linux, SGI
> law at sgi.com                      | Voice: (650) 933-5338
> To Unsubscribe: send mail to majordomo at trustedbsd.org
> with "unsubscribe trustedbsd-discuss" in the body of the message
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freebsd.org/pipermail/trustedbsd-discuss/attachments/20000419/075a98fe/attachment.html