[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ossig] IBM, SuSE gain security certification

On 8 Aug 2003 at 1:29, Seah Hong Yee wrote:

> This is definitely against Linux. As you can see it today's In Tech,   
> the article put this particular certification is slightly behind  
> windows 2000. In fact, that particular certification was applied for by  
> IBM for lower to moderate security.  Furthermore, this can be easily  
> mistaken for Linux is less secure when compare to windows 2000.  Quite  

Unfortunately when it comes to the CC this is what will happen, 
vendors will take a particular certification result and use it for 
their own ends.  So in this case I am sure that MS proponents will be 
more than happy to point out that WIn2k has an EAL of 4 whereas Linux 
has an EAL of 2+.  Unfortunately also, trade journalists if they are 
not familiar with the CC may also just take these EALs at face value 
and may make the inference that based solely on these EALs Linux in 
general is less secure than Win2k.  Of course if one understands the 
CC, these values do not imply any thing like this at all.  Towards 
this end, stds organisation like SIRIM and trade associations like 
PIKOM have organised awareness seminars trying to explain and educate 
the IT industry on infosecurity stds. (In fact one was just held on 6 
Aug jointly by them and one of the sessions on security evaluation 
discussed precisely this issue on the CC.)  Probably more awareness 
seminars like this are needed.

> frankly, I can think of much better way to spend few hundred thousand  
> for certification. Such as funding development of open source security  

If Linux and OSS is to make it into Government deployment for 
critical infrastuctures and applications I am afraid certifications 
like this are needed as more and more Govt agencies, not only in the 
US but all over the world will ask for it.  Here in Malaysia, it is 
possible that a local CC-type certification scheme and lab may be set 
up in the not-too-distant future.

To unsubscribe: send mail to ossig-request@mncc.com.my
with "unsubscribe ossig" in the body of the message