I really think MS wanted to certify 3.51 with the DoD so they could sell
the OS to DoD. The DoD was a large, available market and MS$ft wanted it
all. I also believe that it was an advertising scheme to bring more
customers into their monopoly. Even though the more technical engineering
person knew better, the decision maker was swayed by the term C2 - WOW.
Just my thoughts, though, and I know we are digressing.
-----Original Message-----
From: Michael.Owen [SMTP:[EMAIL PROTECTED]]
Sent: Wednesday, June 23, 1999 11:34 AM
To: David.Markle
Cc: Michael.Owen; firewalls; Peter.Kunz
Subject: RE: C2 Security
> We are discussing the US government classification of security levels
> DoD levels pertaining to the "Orange Book", written by the US
> Department of
> Defense, and NSA criteria pertaining to the "Red Book". To be
> specific,
> Microsoft requested a C2 certifiable security level
> from-specifically-the
> DoD.
Ah. I wasn't aware that in addition to the ITSEC E3 F-C2 certification,
they had gone to the DoD for another "possibility of" certification.
This strikes me as odd, given that I thought the US Gov't recognised
ITSEC classifications, but whatever.
Actually, I just checked Microsoft's website, and if you look at
http://www.microsoft.com/NTServer/security/exec/feature/c2_security.asp
They say that they're currently having NT 4.0 evaluated for certification
in the TPEP program by SAIC. (This is a full evaluation, not any sort of
"hypothetical" one.)
(As I'm sure you know, the TPEP program is the NSA sponsored product
evaluation scheme which is used for all commercial products being sold
to the US government.)
(I've read bits of the Orange book, btw, and I agree - it's boring.)
> I, absolutely think that better, more robust, standards should
> be
> devised for the public sector regarding security.
> What you say may be true of other nations, however.
ITSEC standards are recognied by most of Europe, Canada, and the United
States, and are fairly widely used. Trusted Solaris 2.5.1, for example, is
ITSEC certified. Checkpoint Firewall-1 is ITSEC certified. We're not
talking
exotic UK only specs here. ;-)
None of this changes the fact that most people who understand
certification seem impressed by Microsoft's non-networked certificates.
(Which was the original point we've been saying over and over, I think..)
cheers,
Michael
[EMAIL PROTECTED]
<< File: RE_ C2 Security.TXT >>
application/ms-tnef
