Xref: utzoo comp.sys.hp:7787 comp.unix.questions:28933 comp.unix.internals:2135
Path: utzoo!mnetor!tmsoft!torsqnt!lethe!yunexus!ists!helios.physics.utoronto.ca!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!spool.mu.edu!samsung!cs.utexas.edu!chinacat!sequoia!rpp386!jfh
From: jfh@rpp386.cactus.org (John F Haugh II)
Newsgroups: comp.sys.hp,comp.unix.questions,comp.unix.internals
Subject: Re: Orange book levels for HP-UX versions
Message-ID: <19061@rpp386.cactus.org>
Date: 19 Feb 91 14:15:31 GMT
References: <1991Feb18.165006.24108@qut.edu.au>
Reply-To: jfh@rpp386.cactus.org (John F Haugh II)
Organization: Lone Star Cafe and BBS Service
Lines: 37
X-Clever-Slogan: Recycle or Die.

In article <1991Feb18.165006.24108@qut.edu.au> cszrhodes@qut.edu.au (Tony Rhodes) writes:
>Also, can anyone verify if and when HP recieved its certificate with the 
>appropriate rating and official seal from the NCSC for each of these 
>versions.

I'm posting this because companies now seem to think that making unsupported
claims regarding security evaluations is something they can get away with.

To the best of my knowlege, HP has never received a formal letter on any
of their products.  In any case, you can always request a copy of the final
evaluation from your sales representative or directly from the NCSC.  The
address of the NCSC is

	National Computer Security Center
	9800 Savage Road
	Fort George G. Meade
	Maryland 20755-6000

You may wish to begin by asking for a copy of the "Evaluated Products
List".

I =strongly= encourage anyone being told by their sales representative that
the software they are about to purchase has some "Orange Book Letter" to
immediately request a copy of the final evaluation.  They are incredibly
dry reading, but you can't get one unless the product is really formally
evaluated - blue letters don't count.

I will say that "C1" is pretty trivial, as is "C2" - however, there is
functionality which must be present at even those very low levels, and I
am doubtful about how close to even "C1" or "C2" an unrated product is
going to be.  Note also, that without having been submitted for evaluation,
even an unrated product does not merit a "D" (the lowest) rating.
-- 
John F. Haugh II                             UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832                           Domain: jfh@rpp386.cactus.org
"I've never written a device driver, but I have written a device driver manual"
                -- Robert Hartman, IDE Corp.


Brought to you by Super Global Mega Corp .com