At 12:26 PM -0700 7/26/99, Rick Smith wrote:
>At 10:48 AM 7/26/99 -0700, Tom Perrine wrote:
>
>>I'll take that.... I worked on systems to handle highly-classified
>>data in full multi-level environements (A1 candidates).
>
>Been there, done that. Got the scars. At least we got Uncle Sam to pay the
>bills.
>
>>At that time (1985), every MLS-possible system that had been produced
>>had been cancelled (or died for other reasons) .... Sure,
>>some of these (ours included) had serious performance problems, but
>>*every* one was cancelled?
>
>This is a digression from the legislative issue, but the cancellations were
>probably for commercial reasons. Many of the early efforts were more or
>less funded by vendors, and they pulled out when no market developed that
>could justify the obscene cost and schedule of a government security
>evaluation. I could go on at length about the cost effectiveness of A1
>style formal methods at finding significant security flaws, even if you
>assume a pliant set of evaluators (NOT the government). NSA ended up
>funding the LOCK program in the late '80s probably because vendors had
>realized that there was no financial benefit in A1's formal assurance of
>OSes. NSA still had some True Believers in A1 a decade ago, but they're all
>gone now as far as I can tell.
I can support this conclusion from the KeyKOS experience. KeyKOS could be
configured to support the B3/A1 requirements. (The requirements for the
two levels were the same, only the level of assurance differed.) Because
our kernel was written in 370 Assembler, our evaluation team suggested we
start with a B2 evaluation. Our cost estimate for that evaluation was
$1,000,000. Our investors didn't see a market, so we dropped out.
-------------------------------------------------------------------------
Bill Frantz | The availability and use of secure encryption may |
Periwinkle | offer an opportunity to reclaim some portion of |
Consulting | the privacy we have lost. - B. FLETCHER, Circuit Judge |
