The term is evaluation, not certification. I believe it was NT 3.5, not
3.51, which is on the National Computer Security Center (NCSC) Evaluated
Products List (EPL). Still, the actual version is irrelevant, given how
long it has been since either were available for purchase.
>And yet, NT 4 still manages to find it's way into Fed and Military
>installations... it's amazing how the US Govt breaks it's own policies
>because of Microsoft.
What's the alternative? The two primary OS contenders in this arena are
Solaris and NT 4.0. Neither have completed evaluation. NT is in the
process of being evaluated, and M$ claims it will be completed "real soon
now". Sun withdrew Solaris from NCSC evaluation because the evaluation
process is broken. Evaluation is for a specific OS version and a specific
hardware configuration. According to NCSC-TG-013-89, "The Rating
Maintenance Phase (RAMP) of the Trusted Product Evaluation Program (TPEP)
provides for the maintenance of computer security ratings across product
revisions.", but I'm unaware of any evidence that process has ever worked.
Still, that doesn't equate to "US Govt breaks it's own policies". Solaris
and NT provide C2 level features and capability, even if the products have
not been formally evaluated. The DoD directive which required "C2 by '92"
didn't specify that only EPL products could be used to meet C2 security.
On another question (more "on topic", perhaps), has anyone attempted or
thought about attempting to add classification labels and mandatory access
control extensions to Linux? Since that is a continuing DoD requirement,
which continues to be an unsatisfied requirement because there is no
mainstream OS with those features, this would appear to be a window of
opportunity for Linux.
Harry Miller
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/