<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4030.2400" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV>> > Jeff DeMello wrote:<BR>> <BR>> > If I were producing a
product to be evaluated the only logical choice is a CC evaluation.
Why? It's not free anymore: NSA doesn't perform free evaluations
anymore, they are done by NSA licensed evaluation firms, such as Arca Systems,
and you must pay for them! If you had to pay for an evaluation, why not
pay for a CC evaluation, and reap the benefits. <BR>> ---<BR>> I don't
think anyone's going to argue benefits. You are coming from<BR>> the 'I
know better than you' place...which isn't real "user-friendly"<BR>>
regardless of its truth and accuracy. I've known about Orange Book
<BR>> reputationally for about 6 years. I only heard of CC and
CAPP/LSPP this<BR>> year. It's just that the older stuff is better
known. I think anyone<BR>> knowing about CC would go for that so why
come down so harsh and all "you're<BR>> so dumb for implementing B1" when its
simply about education. You might<BR>> ask if anyone knows about CC
before coming out full guns of why it is<BR>> better -- everyone would likely
agree with you up front.</DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff>I'm sorry about the un-user-friendly approach.
It's just very frustrating to me that the world is still stuck in the Orange
Book rut, when it has been acknowledged by pretty much everyone in the
government and commercial security community that B1 is dead. That is
not a glib statement on my part, just a one-sentence summary of my experience of
the last n years of dealing with this issue, and by interactions with
representatives of NSA and CESG (UK's version of NSA).</FONT></DIV>
<DIV><FONT color=#0000ff></FONT> </DIV>
<DIV><FONT color=#0000ff>I don't think anyone is "dumb about implementing B1",
but, just as you say, uninformed. My concerns are very pointed though, and
that's due to the concern I have that a lot of effort is being expended in the "
TBSD B1" area, when it might not be appropriate (I'm holding off saying "waste
of time", as that might be inflamatory ;-) to e-business requirements. I'm
offering my experience (and I tend to offer it a bit harshly sometimes,
sorry :-) to raise awareness that "B1" might not be the answer for
e-commerce (it isn't) or even for domain separation (it isn't).
</FONT></DIV>
<DIV><FONT color=#0000ff></FONT> </DIV>
<DIV><FONT color=#0000ff>The CC has been around for over 6 years. I first
participated in the first industry working group for it in Ottawa just about 5
years ago. The criteria and mutual recognition between the countries was
signed at the NISSC conference in Baltimore 1.5 years ago, so it is relatively
"new". It was just accepted as an ISO standard last year. It has not
been very well advertised by NSA, for whatever reasons (probably budget!).
If the market for TBSD is "the world", rather than "the US government market",
the CC is the answer, not TCSEC. Also, if the market for TBSD is
"e-commerce", then "B1" is not the answer (reasons previously stated,
and below).</FONT></DIV>
<DIV><FONT color=#0000ff></FONT> </DIV>
<DIV> </DIV>
<DIV>> I love your<BR>> experience profile -- you wouldn't be
interested in working at SGI to<BR>> get up a CAPP/LSPP cert'ed modular
security system that could be used<BR>> on Linux or BSD systems, would
you? :-)</DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff>Thank you ... e-mail / call me!</FONT></DIV>
<DIV> </DIV>
<DIV><BR>> <BR>> <BR>> What are the benefits: Products evaluated
under the CC are formally mutually recognized in the United States, Canada,
France, Germany, the United Kingdom, Australia, New Zealand, Finland, Italy,
Norway, Netherlands, Sweden, Switzerland, and informally elsewhere.<BR>>
---<BR>> The latest mutual recognition documents I've seen have only
included<BR>> 6 countries. The UK, France, Netherlands, Canada, Germany
and the US. Could<BR>> you point me to a document on the
'commoncriteria.org' or the <BR>> <A
href="http://www.radium.ncsc.mil">www.radium.ncsc.mil</A> documentation site
documenting the other countries? I<BR>> don't want to requote you w/o
being able to cite an original source.<BR></DIV>
<DIV><FONT color=#0000ff>The source of my information was </FONT><A
href="http://www.itsec.gov.uk/"><FONT
color=#0000ff>http://www.itsec.gov.uk/</FONT></A><FONT color=#0000ff> ,
click on the "More Information" button on the left, click on the "Security
Evaluation and Criteria" bullet item. The list of mutually recognized
countries is under the "Common Criteria" heading. Unfortunately, to get
the "big CC picture" you must look beyond the radium.nscs server. (Not to
be too political, but it is a very competitive evaluation environment - few
evaluations & lots of evaluators, and NCSC is looking after #1!
:-)</FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><BR>> > > Given that currently the TrustedBSD project does not
have much in<BR>> > > the way of funding and support, evaluation is not
being planned for,<BR>> > > although it is being designed and
documented with that in mind. Now would<BR>> > > be the time to
retarget evaluation criteria, if necessary.<BR>> > Given my statements
above, I still have the question. Why is Trusted BSD being designed and
documented with the Orange Book in mind? <BR>> ---<BR>> Because
maybe everyone hasn't been in the security field as long<BR>> as you
have. Come on, remember what it was like when you started? Did
you<BR>> know all the sources, all the resources? Etc. </DIV>
<DIV><FONT color=#0000ff></FONT> </DIV>
<DIV><FONT color=#0000ff>Yes I remember ... the Orange Book was just
published! :-) Ahhh, the good ol' days!</FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><BR>> > END SOAPBOX ;-)<BR>> > <BR>> > I hope
that helps!<BR>> ---<BR>> Woulda been better w/o the soap...I have bubbles
in my mouth.<BR>> <BR>> BTW, minor nit...you said "certificates are
mutually recognized by those<BR>> countries up the the EAL4 assurance level
(which is about the same level of assurance required of B1)". B1
equivalent, LSPP, actually requires a Evaluation<BR>> Assurance Level of '3'
as does the C2 equivalent (CAPP). </DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff>Another one of my experiences: The LSPP and the
CAPP were brought to you by the same people who brought you the Orange Book ...
NSA. They are a translation of the C2 and B1 requirements in to
"CC-ese". Just because it's a "Certified Protection Profile", IMHO, it
doesn't mean (not to sound inflamatory, sorry) but "squat". I've had
extensive discussions with NSA, GCHQ, and many commercial
companies about this. If "B1" and "C2" requirements aren't valid
requirements for the government (or any) market, then translating them to
"CC-ese" doesn't change the fact that they aren't valid. Again, on my
soapbox, translating the C2 and B1 requirements into CC language was a great
academic exercise, and having them evaluated by the same agency that producted
them is interesting in itself, however they are not valid business
requirements. Why?</FONT></DIV>
<DIV><FONT color=#0000ff></FONT> </DIV>
<DIV><FONT color=#0000ff>The following paragraph is reality, it might not sound
politically correct but here it is:</FONT></DIV>
<DIV><FONT color=#0000ff></FONT> </DIV>
<DIV><FONT color=#0000ff>There is NO government agency that has ever mandated C2
as an agency wide business requirement. There is NO government agency that
has ever mandated B1 as an agency wide business requirement.
Indivdual programs within some agencies have mandated C2 or B1, but as I have
stated before, by my experieces are usually waived or "adjusted" somehow.
</FONT><FONT color=#0000ff>As far as I know, and correct me if I'm wrong, there
is NO (U.S.) government agency that has mandated CAPP or LSPP.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff>Which leads me back to: "why build it if noone requires
it". </FONT></DIV>
<DIV><FONT color=#0000ff></FONT> </DIV>
<DIV><FONT color=#0000ff>I do, however, think there are a set of
e-commerce / i-business security requirements that might be addressed by
TBSD that would make TBSD <EM>extreamly valuable </EM>to the "secure OS"
market. And by "secure OS" I don't mean B1, I mean "an operating system
that provides a greater amount of security functionality with
better-than-vendor-assurance-claims".</FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><BR>> You can find the latest LSPP and CAPP documents on <A
href="http://www.radium.ncsc.mil">www.radium.ncsc.mil</A><BR>> under the
computer eval part, Protection Profiles.<BR></DIV>
<DIV><FONT color=#0000ff>Thanks ... I submitted my comments on them in their
pre-version 1.0 state! A lot of them were incorporated!</FONT></DIV>
<DIV> </DIV>
<DIV><BR>> I have a 25 page regurgitation of the EAL3 requirements
needed<BR>> for LSPP and CAPP if anyone is interested. I could save it
as HTML --<BR>> It is *purely* for my own edification to more fully
understand the requirements<BR>> and should be viewed as such. I'm
still working on a useful regurgitation<BR>> of the CAPP functional specs --
I likely won't be doing LSPP for a while<BR>> unless I get *real* motivated,
since our first priority is just meeting <BR>> CAPP. </DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff>If you (or anyone) want's to chat, please call me at
650-941-8224 (I'm in Los Altos, CA) ... it's always better in real time
with a real voice!</FONT></DIV>
<DIV><FONT color=#0000ff></FONT> </DIV>
<DIV><EM><FONT color=#0000ff>-jeff-</FONT></EM></DIV>
<DIV> </DIV>
<DIV><BR>> -- <BR>> Linda A
Walsh
| Trust Technology, Core Linux, SGI<BR>> <A
href="mailto:law@sgi.com">law@sgi.com</A>
| Voice: (650) 933-5338<BR>> To Unsubscribe: send mail to <A
href="mailto:majordomo@trustedbsd.org">majordomo@trustedbsd.org</A><BR>> with
"unsubscribe trustedbsd-discuss" in the body of the message<BR>>
</DIV></BODY></HTML>