[Linux-aus] This one's big...

Les Bell lesbell at lesbell.com.au
Tue Aug 5 20:20:02 UTC 2003

Con Zymaris <conz at cyber.com.au> wrote:

This essentially means that the last major barrier has been removed for
Linux deployments in sensitive-government sites in the US, Candada, UK,
Australia and NZ, which following a similar security certification
protocol suite...

This is one of those things that looks good on the wall but I'm not sure it
means all that much in practice, Con. Interpreting Common Criteria
certifications is nothing like as simple as the old Orange Book (TCSEC) C1,
C2, B1, etc. The Target Of Evaluation has to be evaluated against a
Protection Profile and is then given an Evaluation Assurance Level between
EAL1 and EAL7. The article cited doesn't disclose any of those things, but
if (just for example) what they've got is EAL2 (structural testing,
analysis using functional and interface specification and high-level
design, independent testing, etc.) against, say "Protection Profile for
Single-Level Operating System in Environments Requiring Medium Robustness",
then it doesn't really mean that much (such systems aren't suitable for US
DOD use). I'm *certain* it isn't "the highest level of security evaluation
used by governments", though.

The big hurdle is the "assurance" part, which means that the design itself,
design process, testing methodologies, etc. must all be documented so that
the evaluators can have confidence (i.e. assurance) that the TOE is what it
claims to be. Just saying, "Well, have *you* seen any Linux viruses?" won't
do it.

And if they have got a higher EAL against, say, a Multi-Level OS Medium
Robustness PP, which means the system implements mandatory access controls
and can be used for processing data up to Top Secret classification, the
market for such systems is fairly small by comparison with the total
market. It would be a gold seal of security quality that might appeal to
commercial buyers, though (albeit a system configured that way would be a
PITA to use and to administer for most people).

Still, any publicity is good publicity and a lot of people will be
interested to see what the actual certification is.


--- Les Bell, RHCE, CISSP

More information about the linux-aus mailing list