At 6:38 AM -0500 11/4/02, Jonathan S. Shapiro wrote:
Requirements, on the other hand, is a tough problem. David Chizmadia and
I started pulling together a draft higher-assurance OS protection
profile for a class we taught at Hopkins. It was drafted in tremendous
haste, and we focused selectively
Full disclosure alert: David and I have worked together on pulling
together some stronger protection profiles.
On Sun, 2002-11-03 at 20:28, David Chizmadia wrote:
The fundamental security assurance problem is usually not
with the basic OS features: i.e., scheduling and process,
memory, and
I'm answering this publicly, because there is a surprise in the answer.
On Sun, 2002-11-03 at 13:12, Arnold G. Reinhold wrote:
Jonathan S. Shapiro [EMAIL PROTECTED] wrote:
... If a
reputable group of recognized computer scientists were to publish a well
thought out set of evaluation
On Sat, 2002-11-02 at 17:48, Adam Shostack wrote:
On Sat, Nov 02, 2002 at 03:12:51PM -0500, Jonathan S. Shapiro wrote:
| Given that an EAL4 certification can fairly be characterized as nowhere
| near good enough for serious commercial use today, I think it is fair
| to harshly criticize these
On Sat, Nov 02, 2002 at 08:14:38PM -0600, Jim Hughes wrote:
| One Comment
|
| On Sat, 2002-11-02 at 16:48, Adam Shostack wrote:
|
| Actually, I think it is. I don't think that Linux would pass EAL4; as
| you've pointed out, that requires a documented and followed QA
| process. Would any
Is MacOS X EAL4?
Not so far as I know, but it could probably get there with some amount
of work if it isn't already.
MAC OS X and MAC OS X Server are currently in NIAP evaluation
at EAL3 (see http://niap.nist.gov/cc-scheme/InEvaluation.html).
This is sort of what I mean about EAL4 not
In message [EMAIL PROTECTED], Jonathan S. Shapi
ro writes:
I disagree. The problem is even more fundamental than that. The problem
today is the absence of liability for the consequences of bad software.
Once liability goes into place, CC becomes the industry-accepted
standard of diligent
Is MacOS X EAL4?
Not so far as I know, but it could probably get there with some amount
of work if it isn't already.
MAC OS X and MAC OS X Server are currently in NIAP evaluation
at EAL3 (see http://niap.nist.gov/cc-scheme/InEvaluation.html).
This is sort of what I mean about EAL4 not
Ron Luman II replies to Jim Hughes
Is it arguable that the difference is minimal. Is there
a more formal description of what can be done with an
EAL3 vs an EAL4 device?
If by 'what can be done' you are referring to recommended usage,
I'm not aware of any. If you mean functionality,
On Sat, Nov 02, 2002 at 11:54:36AM -0500, Jonathan S. Shapiro wrote:
| The word moderate here is very unfortunate. In reading such
| statements, one needs to understand a bit of subtext. The Common
| Criteria community is very concerned about the possibility that people
| will perceive assurance
On Sat, 2002-11-02 at 13:31, Adam Shostack wrote:
On Sat, Nov 02, 2002 at 11:54:36AM -0500, Jonathan S. Shapiro wrote:
| The effectiveness of
| the levels is modestly exaggerated, and the importance of going for
| higher levels is grossly understated.
|
| One unfortunate consequence is that
On Sat, Nov 02, 2002 at 03:12:51PM -0500, Jonathan S. Shapiro wrote:
| On Sat, 2002-11-02 at 13:31, Adam Shostack wrote:
| On Sat, Nov 02, 2002 at 11:54:36AM -0500, Jonathan S. Shapiro wrote:
| | The effectiveness of
| | the levels is modestly exaggerated, and the importance of going for
| |
Well,
Actually this is not completely true. If the Certification Lab is also the
Validation body, then the Certificate is only limited to the country of
Certification release.
Precisely in Germany (among other countries), you can get a EAL 4+
certification from a Laboratory... who's
At 11:41 PM 10/30/2002 Wednesday, Peter Gutmann wrote:
http://biz.yahoo.com/prnews/021029/sftu114_1.html
Microsoft Windows 2000 Awarded Common Criteria Certification
Tuesday October 29, 2:00 pm ET
Achieves Highest Level of Security Evaluation for the Broadest Set of Real-
World Scenarios
What
Gentlepeople:
I believe I have an interesting question... While I am not generally a
Microsoft fan, the documentation that was pointed to seems to be
inconsistent. I agree with most of what Johnathan says,and maybe this is
just a nit that is irrelevant to the discussion at hand.
The document
Hi Jim,
that level of risk. The assurance level is EAL 3 and the minimum
strength of function is SOF-medium.
But the press release states NT-2000 achieved EAL-4?
It was. The CAPP only specifies the minimum assurance level required.
Common Criteria EAL4-CAPP is roughly equivalent to ITSEC
16 matches
Mail list logo