 Re: BSD EAL Common Criteria certification?
In comp.unix.bsd.netbsd.misc Philip Paeps <philip+usenet@paeps.cx> wrote:
>
> Which regulatory constraints are they? I've worked on a number of products
> that have been CE and FCC (among the other usual suspects) approved, but I
> can't say I ever encountered ``Common Criteria'' in the relevant bibles.
Common Criteria is a new buzzword for security officially released
in 2005, but unofficially available in drafts since 1999. Nothing
we must seriously consider, though, only another way to make money
using approval seals.
>> So not only must the OS be secure, but also the project must show the
>> regulator that all required security functionality has been tested by a
>> certified external assessor. The problem here is cost, especially if no
>> previous BSD release has been evaluated in this way before.
>
> Approval is expensive... BSD is a Unix-style operating system. Many of the
> operating systems you mention that have been approved derive more or less
> substantial portions of their code from BSD. Since BSD has not been standing
> still since those derivations happened, I would be quite confident that BSD
> would be pass approval provided some details are checked.
Indeed, most BSDs are secure, highly secure. Small and closed by
default. On the other hand, on that list we can find operating
systems (what an oxymoron!) as Windows 2000, 2003 or XP with
selected sets of patches. Nothing wrong, just to note that this
list is in no way related with the security level of the products.
Something is not better just for being on that list; it is just
approved.
On certain environments (e.g., military, banks, hospitals, data
management centers...) certifications are required. The real problem
is that the existence of these security certifications instead of
providing lists of secure software/hardware tools usually mean that
good and well-known secure products cannot be used. A customer that
blindly chooses following these certification authorities usually
drops excellent tools in favour of tools of financially wealthy
corporations without real caring on quality.
Best regards,
Igor.
 |