Xref: utzoo comp.unix.programmer:1362 alt.sources.d:1638 alt.security:1998 Newsgroups: comp.unix.programmer,alt.sources.d,alt.security Path: utzoo!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!sdd.hp.com!elroy.jpl.nasa.gov!aero-c!aero!faigin From: faigin@aerospace.aero.org (Daniel P. Faigin) Subject: Re: C2 secure systems and the superuser In-Reply-To: wcs@cbnewsh.att.com's message of 17 Mar 91 06:05:40 GMT Message-ID: Sender: news@aero.org Organization: The Aerospace Corporation, Computer Security Department, El Segundo CA References: <19103@rpp386.cactus.org> <1991Mar13.185609.21132@convex.com> <19104@rpp386.cactus.org> <1991Mar17.060540.3911@cbnewsh.att.com> Date: 18 Mar 91 12:17:48 Lines: 49 In article <1991Mar17.060540.3911@cbnewsh.att.com>, wcs@cbnewsh.att.com (Bill Stewart 908-949-0705 erebus.att.com!wcs) writes: > Most of the market is satisfied with C2 functionality, and doesn't > really need the NSA Good Housekeeping Seal. Correction. Most of the COMMERCIAL market. The ratings are there to help the DoD side of things. This goes along with the Agency's charter. If it ever gets the budget, the commercial side will probably be happer with NIST. > This is especially important, since adding networking affects your Trusted > Computing Base, and throws you out into uncharted Red Book territory, even > at C2 level. I wouldn't say the TNI (red book) is uncharted. It is a different way of thinking. It is charted, as there are evaluations working against it. > Most customers would really rather have networking now, hopefully with the > bigger holes patched, rather than wait until the general research problem is > solved well enough for the NCSC to certify systems. The NCSC does not certify systems. That is up to the accrediting agency that determines that the residual risk for a particular system in a particular installation is acceptable. The NCSC only rates systems. As for networks, yes, it is a problem that many systems on the EPL do not support real-life configurations. Vendors also have to accept a risk when they go into "uncharted territory". If systems don't get submitted in real-life configurations, they don't get evaluated in real-life configurations. What happens in real-life is that the accreditor must look at the changes to the system from the EPL configuration, and decide that the risk is acceptable. For this to be "a good thing", the accreditor must be given (and be capable of understanding) the nuances of the additional information. > B2 adds Trusted Path, Covert Channel Analysis, and Least Privilege, and > starts to feel less like Real Unix, because you don't really have One > All-Powerful Root any more. More importantly for Unix, B2 adds requirements in the area of system architecture that make it difficult, if not impossible, for retrofitted Unix systems. Daniel -- [W]:The Aerospace Corp. M1/055 * POB 92957 * LA, CA 90009-2957 * 213/336-8228 [Email]:faigin@aerospace.aero.org [Vmail]:213/336-5454 Box#3149 "A consensus means that everyone agrees to say collectively what no one believes individually" -- Abba Eban