On Wednesday 09 April 2014 06:38:38 Jamie Duncan wrote: > I don't know what you mean by 'commercial OS'. > > Let me rewind a little and make sure I'm completely clear in the point I > was trying to make. I blame the horrid hotel room I'm in right now for any > confusion. > > I mostly work in the government space these days. Certifications like > Common Criteria, FIPS, FISMA, et al include not only the bits but the build > environments/processes/etc. as well. They are time-consuming, expensive and > the RHEL certifications for these standards don't apply to > SL/CentOS/OEL/foo.
Just to follow on that, the standards don't apply to the source in this case, they apply to the binaries, which starts with the source, follows through a verified build environment and on to signed binaries (and how they are signed, and how those keys are handled, as well). Its a major pain, which is why the OpenSSL project's FIPS efforts are all sub-projects, getting FIPS binaries out is a pita worth a project all its own (and is *really* expensive, which is why only certain parts are FIPS certified). To understand a part of why the source isn't the main issue, review the classic "Trusting Trust" (AKA "Mother of all Security Fears") by Ken Thompson -- yes, *that* Ken Thompson. http://cm.bell-labs.com/who/ken/trust.html That said, Thompson's paper will also demonstrates why this isn't enough for complete security, but its the best a large organization can do...
