Oh come on. Security certification is a laughably stupid concept. Giving it any sort of lip service is disingenuous.
On Tue, Feb 02, 2010 at 02:15:00PM -0500, Brad Tilley wrote: > On Tue, 02 Feb 2010 18:09 +0000, "Bayard Bell" > <[email protected]> wrote: > > Formal evaluation just means that the features judged relevant to the > > evaluation can be minimally verified. On the flip side, there's David > > Litchfield's observation in the introduction to The Oracle Hacker's > > Handbook: "The Oracle RDBMS was evaluated under Common Criteria to > > EAL4... However, the first few versions of Oracle that gained EAL4 had > > a buffer overflow in the authentication mechanism." He goes on to that > > standards are necessary to some extent but not fully indicative. > > You'll find summary arguments and starting links off the Common > > Criteria's Wikipedia entry. Given such limitations, perhaps you might > > propose a more open evaluation and make code access for audit, > > including by escrow access for an established third-party authority, > > as a major criteria? > > Common Criteria - http://www.iso15408.net - has largely replaced ITSEC and > others. Like some other ISO standards, you may have to purchase a copy. I > would say that CC makes some people feel good, but does little in the way of > real Security. Microsoft Windows XP is EAL4 certified when configured certain > ways. I think the certification process can be very narrowly focused on a few > parts of the system so the vendor can say, "Look at this component of our OS, > but not those" or "Certify our OS when configured a certain way". > > It's a costly process too and takes awhile to complete. I'm not sure any open > source OS is certified. For proft, vendor backed Linux distributions (RHEL) > may be as they have the time and money to waste on it and TrustedBSD makes > reference to CC, but I don't think it's certified. > > Brad > > > Am 1 Feb 2010 um 23:06 schrieb Keith: > > > > > I've used OpenBSD & PF for a number of years without issue and am > > > now in the position that I want to create a dmz between the Internet > > > and my organisations WAN. Our security people are asking if the > > > firewall that we use is accreditated by ITSEC and I am pretty sure > > > it isn't but it turns out that our security people will be happy is > > > the firewall is accredited for use by another government ! > > > > > > I am very happy with my PF firewalls and their reliability and don't > > > want to be forced into purchasing some cisco / forenet comercial > > > firewall that I've never used before so am desperate to find some > > > details of any foreign governments that are using OpenBSD / PF as a > > > firewall or any details of any certification of the PF firewall. > > > > > > Can anyone help me out ? > > > > > > Thanks > > > Keith > > > > > > > > > __________ Information from ESET NOD32 Antivirus, version of virus > > > signature database 4825 (20100201) __________ > > > > > > The message was checked by ESET NOD32 Antivirus. > > > > > > http://www.eset.com
