Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!usc!elroy.jpl.nasa.gov!ames!haven!uvaarpa!murdoch!news From: randall@Virginia.EDU (Ran Atkinson) Newsgroups: comp.unix.sysv386 Subject: Re: security levels, V.4 Message-ID: <1990Nov30.150654.29949@murdoch.acc.Virginia.EDU> Date: 30 Nov 90 15:06:54 GMT References: <1990Nov29.224243.2934@ico.isc.com> <1990Nov30.064557.13565@fiver> Sender: news@murdoch.acc.Virginia.EDU Reply-To: Ran Atkinson Followup-To: comp.unix.sysv386 Distribution: na Organization: University of Virginia Lines: 34 In article <1990Nov30.064557.13565@fiver> palowoda@fiver (Bob Palowoda) writes: > So C2 is required for *any* UNIX OS to be C2 and B2 which is as I >understand it more secure is not required. Yes I would like to here >from someone with the orange-book explain this. I know nothing about the >security levels, nor do I own a system or use one at work. I do have >accounts on some systems that do and once in a while I am locked out >saying with a message for no reason at all. So indirectly it does affect >me as a user. I'm sure the bugs will be found fix etc but this this >brings up another question. How does each level of security packages >affect the devolopment cost of applications for any UNIX that uses it? >How will we know when the price/security costs are enough? > >---Bob I think the original quote that Bob is reacting to was not well worded. It is not the case that all versions of an OS must meet the C2 requirement for any version to meet C2 (or some higher requirement such as B2). In particular, there are non-C2 versions of UNIX that are commercially available and there are B2 versions of UNIX that are available (which is an existence prrof for my assertion above.) There clearly is some cost to having a "trusted system" and at the moment the driving force behind such development is clearly the US DoD for the simple reason that banks, etc choose to buy insurance against breakins rather than spending the money to prevent the breakins by having a more trustworthy system. I gather that most folks here don't care much about such things and would be inclined to say that they should be options from vendors rather than the vendor forcing folks to all buy abilities that aren't wanted... Ran randall@Virginia.EDU