> We are discussing the US government classification of security levels
> DoD levels pertaining to the "Orange Book", written by the US
> Department of
> Defense, and NSA criteria pertaining to the "Red Book". To be
> specific,
> Microsoft requested a C2 certifiable security level
> from-specifically-the
> DoD.
Ah. I wasn't aware that in addition to the ITSEC E3 F-C2 certification,
they had gone to the DoD for another "possibility of" certification.
This strikes me as odd, given that I thought the US Gov't recognised
ITSEC classifications, but whatever.
Actually, I just checked Microsoft's website, and if you look at
http://www.microsoft.com/NTServer/security/exec/feature/c2_security.asp
They say that they're currently having NT 4.0 evaluated for certification
in the TPEP program by SAIC. (This is a full evaluation, not any sort of
"hypothetical" one.)
(As I'm sure you know, the TPEP program is the NSA sponsored product
evaluation scheme which is used for all commercial products being sold
to the US government.)
(I've read bits of the Orange book, btw, and I agree - it's boring.)
> I, absolutely think that better, more robust, standards should
> be
> devised for the public sector regarding security.
> What you say may be true of other nations, however.
ITSEC standards are recognied by most of Europe, Canada, and the United
States, and are fairly widely used. Trusted Solaris 2.5.1, for example, is
ITSEC certified. Checkpoint Firewall-1 is ITSEC certified. We're not talking
exotic UK only specs here. ;-)
None of this changes the fact that most people who understand
certification seem impressed by Microsoft's non-networked certificates.
(Which was the original point we've been saying over and over, I think..)
cheers,
Michael
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
