Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!aplcen!wb3ffv!ka3ovk!raysnec!shwake
From: shwake@raysnec.UUCP (Ray Shwake)
Newsgroups: comp.unix.sysv386
Subject: Re: security levels, V.4
Message-ID: <166@raysnec.UUCP>
Date: 3 Dec 90 17:06:27 GMT
References: <1990Nov29.224243.2934@ico.isc.com> <1990Nov30.064557.13565@fiver>
Organization: IRS/CI - Technical Solutions Branch
Lines: 24

palowoda@fiver (Bob Palowoda) writes:

>  So C2 is required for *any* UNIX OS to be C2 and B2 which is as I 
>understand it more secure is not required. Yes I would like to here
>from someone with the orange-book explain this. I know nothing about the
>security levels, nor do I own a system or use one at work. 

	C2 functionality, or certification at that level (or an alternate
level, for that matter) is a *customer* driven requirement. Major customers
can often drive the market, as the federal government is doing with POSIX,
as General Motors is doing with MAP, as the European PTT's are doing with
OSI, etc. 

	How the vendors respond to customer requirements can still vary,
however. ISC has, for example, modularized C2 functionality such they can
sell "plain vanilla" UNIX 3.2 security, while bidding C2-certified variants
for government contracts.

	Providing a system *capable* of supporting a given level of security,
however, does not mean that a system will always be running at that level.
Aside from weaknesses on the policy and personnel side (often the most
significant), a system supporting different degrees of security rigour (like
SCO ODT and UNIX, ATT's MLS, etc.) will often have security running at less
than the certified level.