I'm answering this publicly, because there is a surprise in the answer.
On Sun, 2002-11-03 at 13:12, Arnold G. Reinhold wrote: > "Jonathan S. Shapiro" <[EMAIL PROTECTED]> wrote: > >... If a > >reputable group of recognized computer scientists were to publish a well > >thought out set of evaluation criteria... > > If I may ask a naive question, couldn't such a set of evaluation > criteria be abstracted from the design goals of Eros? Funny you should ask that. First, I need to correct my original statement: one needs both evaluation criteria and an effective requirement set for a secure OS. The Common Criteria evaluation process needs to be augmented with quantitative tests on the actual software artifact, but it's actually pretty good. Requirements, on the other hand, is a tough problem. David Chizmadia and I started pulling together a draft higher-assurance OS protection profile for a class we taught at Hopkins. It was drafted in tremendous haste, and we focused selectively on the portions of CC we would cover in class, but it may provide some sense of how hard this is to actually do: http://www.eros-os.org/assurance/PP/ASP-OS.pdf Sorry about the formatting errors - it's an automatically generated document that needs cleanup. The difficulty in drafting a PP like this is avoid specifying solutions. A PP is supposed to be a requirements document. Unfortunately, you get into quandries. Some of the requirements we think are important can be done in capability systems but not in non-capability systems (at least based on published verifications to date). It becomes tempting at that point to introduce requirements that can *only* be done by capability systems. Also, much is present only by reading between the lines. An annotated document is needed in order to really make any headway on understanding what is implied by some of the requirements. > Also there is no reason such a document need be as voluminous as > existing criteria. It is high time we departed from the quality > industries practice of focusing on tangential issues, ignoring > substance and generating mountains of paper as a proxy for > accomplishment. Having read a number of existing protection profiles, I have to say that people have done quite well on this. There *is* some unneeded bulk, but this is primarily due to conventions that yield consistently styled documents. Once you understand how to read one PP you can read pretty much any PP. A modest amount of size expansion is a reasonable price to pay. shap --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]