Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!elroy.jpl.nasa.gov!ames!haven!uvaarpa!murdoch!news
From: randall@Virginia.EDU (Ran Atkinson)
Newsgroups: comp.unix.sysv386
Subject: Re: security levels, V.4
Message-ID: <1990Nov30.145545.29792@murdoch.acc.Virginia.EDU>
Date: 30 Nov 90 14:55:45 GMT
References: <1990Nov23.182943.21094@cs.dal.ca> <2389@sixhub.UUCP> <2313@tabbs.UUCP> <1990Nov29.224243.2934@ico.isc.com>
Sender: news@murdoch.acc.Virginia.EDU
Reply-To: Ran Atkinson <randall@Virginia.EDU>
Followup-To: comp.unix.sysv386
Distribution: na
Organization: University of Virginia
Lines: 28


In article <1990Nov29.224243.2934@ico.isc.com> rcd@ico.isc.com, Dick Dunn writes:
>aris@tabbs.UUCP (Aris Stathakis) writes:
>> Strange.  I was under the impression that AT&T wouldn't let you 
>> call your product UNIX V.4 unless you had at least B2 security.

>B2 is a higher level of security than C2.  I'll leave it to the orange-book
>mavens to explain the differences; suffice it to say that if you think the
>flaming you've seen in this newsgroup about C2 is hot, you ain't seen
>nothin' yet.
>
>And no, B2 is not required for V.4.  It's an option--I think MLS will take
>you to the B2 level.


Dick is correct.  The MLS (Multi-level Security) option for Unix System V
is needed if you want a B2 system.  Note that UNIX System V/MLS is actually
certified by NCSC as being a B2 system.  I don't think that SCO ever actually
got their "C2" product certified by NCSC (who are the only folks who can
certify Orange Book conformance).

If folks dislike C2, they will be much more unhappy with B2.  I on the other
hand prefer at least a B1 system because it is much safer from breakins
and such.  I'll not bore folks with the differences between C2 and B1 or B2;
if you want to know more, go read the Orange Book.

  Ran
  randall@Virginia.EDU