[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ossig] IBM, SuSE gain security certification



On 6 Aug 2003 at 23:56, Seah Hong Yee wrote:

> Please note that this means very little in real life. The certification 
> is applied for by IBM for IBM machines running SuSE.
> 

IMHO CC certification has its place and use _provided_ people understand 
what it actually means.  The security of a CC-certified product is assured 
to perform according to the specified protection profile (PP) used in the 
evaluation and in this respect there is at least some comfort on the part 
of the user especially those in a high security environment if the product 
has been CC-certified to a high assurance level (EAL) using a PP 
_appropriate_ for the environment in question.  Unfortunately it is this 
high dependence on the PP specified that can cause much confusion.

The key here is to understand that the product or system is certified 
using some PP and it is not enough to just judge the security of the 
product based solely on the EAL obtained.  One has to know (ask) under 
what security assumptions and operating environments/conditions was the 
certification obtained.  The EAL rating merely gives you the assurance 
level of the product operating under the specified conditions and 
assumptions.  So, for example,it is quite meaningless to boast that a 
network product has a high EAL (e.g. 4 or 5) if the assumed conditions 
specify that the product is operating under a non-hostile network etc.

Also note that the certification is very much implementation dependent 
e.g. software used and their versions, hardware used etc. and so in this 
case we have SuSE Linux Enterprise Server 8 running on IBM eServer xSeries 
achieving EAL2+.  This does not necessarily mean that all SuSE Linux from 
now on will meet the particular EAL certification.  Also, the PP used was 
not specified.

It is informative to read the comment by Jonathan Shapiro on the Win2k 
(SP3) CC EAL4 certification and what it actually means in practice.

 http://eros.cs.jhu.edu/~shap/NT-EAL4.html

Having said all that, more and more organisations especially key 
government agencies and infrastructures are specifying CC (ISO 15408) 
compliant products so as to get some level of assurance (which one can if 
one understands the CC properly) in the security of the products used.  In 
view of this if Linux and other OSS wants to be considered by these 
bodies, it will need to be certified, like it or not.  Again, 
unfortunately the cost of CC certification is expensive and so here unless 
we have a rich organisation sponsoring the certification (can be an end-
user or vendor) it is unlikely that many OSS will be CC certified.  Also 
products from small companies or poorer nations will also be at a 
disadvantage.  Towards this end, some nations have their own CC-like 
certification schemes (not recognised by CC).  Perhaps with the adoption 
of CC by ISO (ISO 15408), some ISO certification scheme may emerge in due 
course which can drive the price down.

--
Soo Hoe



------------------------------------------------------------
To unsubscribe: send mail to ossig-request@mncc.com.my
with "unsubscribe ossig" in the body of the message