[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Linux-aus] This one's big...



-----BEGIN PGP SIGNED MESSAGE-----

On Tuesday 05 Aug 2003 9:30 pm, Brad Hards wrote:

> Common Criteria certification requirements and open source aren't a good
> mix. If you change the configuration, you have to get it recertified.
> What's the point of being able to fix it if you can't use it afterwards
> because your certification is blown? Sure, you have the code and can see
> what's wrong, but it isn't helping you...

I spent a long time in the UK working in the government (DRA,DERA,DSTL) and 
this was something I really couldn't get my head around.

You were allowed to run something with bugs in it because it was certified, 
but you weren't allowed to fix them because you'd break your certification. 
Fortunately there are useful things called "waivers" you could get from your 
friendly neighbourhood accreditor who usually would be quite pragmatic about 
such things (and in real life its his/her signoff of the system that mattered 
more than the rating of the individual components).

But I have been known to recommend that when certified firewalls were being 
deployed that a more up to date, un-certified, firewall was put in front of 
it to protect it. :-)

Chris
- -- 
 Chris Samuel  :  http://csamuel.org/  :  Melbourne, VIC

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQEVAwUBPzOOC41yjaOTJg85AQHc9gf6Ax3OBj7t3d3yHOUMMxYF1GDWKdswwDtZ
D64NWFS1Sv3FQBDho9ll4ViegKgoZ6wJ6GxjfxkFs0pskgZpvDPXjHKxiakPz9ND
E50dnglDMAuDYaNTPdGcFSD6zD5j3RJYym9EwragXx+dro6Ga8t+ffx7Behkh/na
W8BbQu5jL1u2sz8NgKOG8Ncgr1fmgdEZRJZp+FzExV8K9fzqhEBdFmN6rXM03clj
kj4vzlIXEh/XdGQpUVCEZqCHahzriV2rWSpt+rd0sGT7elXZz4z7yhBEyjdkfmXX
MrnKKPefWJkthrZZ6+AfqDvTanABI4ze+qfNU4FUbeNYbT1yiGGhGg==
=iZ4J
-----END PGP SIGNATURE-----