> Dave Taht <[email protected]> wrote... > > On Mon, Apr 14, 2014 at 4:22 PM, <[email protected]> wrote: >> All great points. >> >> >> >> Regarding the Orange Book for distributed/network systems - the saddest part >> of that effort was that it was declared "done" when the standards were >> published, even though the challenges of decentralized networks of >> autonomously managed computers was already upon us. The Orange Book was for >> individual computer systems that talked directly to end users and sat in >> physically secured locations, and did not apply to larger scale compositions >> of same. It did not apply to PCs in users' hands, either (even if not >> connected to a network). It did lay out its assumptions; but the temptation >> to believe its specifics applied when those assumptions weren't met clearly >> overrode engineering and managerial sense. > I worked on C2 level stuff in the early 90s, and on a db that tried to get B2 > certification - it was difficult, slow, painful, hard, and ultimately > just a checkbox Going far off-topic, I wrote a tongue-in-cheek article that was actually a suggestion we use labelling and crypto to create severely simplified orange-book compartments, in turn to protect confidentiality... http://www.slaw.ca/2014/01/02/thank-goodness-for-the-nsa-a-fable, with a more technical expansion at http://broadcast.oreilly.com/2013/12/where-were-ye-orange-book-in-w.html
In part, this was to see if I could reduce the problem space to something a startup would find possible to fund... --dave --dave -- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest [email protected] | -- Mark Twain _______________________________________________ Bloat mailing list [email protected] https://lists.bufferbloat.net/listinfo/bloat
