[Linux-aus] This one's big...
chris at csamuel.org
Fri Aug 8 19:50:02 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
On Tuesday 05 Aug 2003 9:30 pm, Brad Hards wrote:
> Common Criteria certification requirements and open source aren't a good
> mix. If you change the configuration, you have to get it recertified.
> What's the point of being able to fix it if you can't use it afterwards
> because your certification is blown? Sure, you have the code and can see
> what's wrong, but it isn't helping you...
I spent a long time in the UK working in the government (DRA,DERA,DSTL) and
this was something I really couldn't get my head around.
You were allowed to run something with bugs in it because it was certified,
but you weren't allowed to fix them because you'd break your certification.
Fortunately there are useful things called "waivers" you could get from your
friendly neighbourhood accreditor who usually would be quite pragmatic about
such things (and in real life its his/her signoff of the system that mattered
more than the rating of the individual components).
But I have been known to recommend that when certified firewalls were being
deployed that a more up to date, un-certified, firewall was put in front of
it to protect it. :-)
Chris Samuel : http://csamuel.org/ : Melbourne, VIC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the linux-aus