The following message is a courtesy copy of an article that has been posted to bit.listserv.ibm-main,alt.folklore.computers as well.
steve_thomp...@stercomm.com (Thompson, Steve) writes: > Dr. Wang is no longer with us. And the company, WANG, was taken over by > another company and they basically dropped the hardware. Some years ago > I was bidding on migrating WANG/VS based entities to z/OS. I understand > that there are still a few holdouts in the Government arena. re: http://www.garlic.com/~lynn/2009n.html#10 33 Years In IT/Security/Audit there aren't a lot of stuff that had gotten B3 evaluation ... following claims that wang was the only one ... http://www.dynamoo.com/orange/summary.htm in the transition from orange book to common criteria, i had started doing merged security taxonomy & glossary http://www.garlic.com/~lynn/index.html#glosnote and some from common criteria was criticizing me for having both orange book and common criteria definitions in the same glossary. i countered with common criteria was to have protection profiles for specific environments that weren't otherwise capable of getting reasonable orange book certification. this is recent post referencing getting EAL4+ evaluation for a semi-custom chip http://www.garlic.com/~lynn/2009n.html#7 my complaint was that some others, using similar flavor of the chip, being able to get a higher evaluation. they were able to use "smart card protection profile" ... which has majority of the stuff about being able to load applications on the chip (doesn't actually evaluate what gets loaded to make the chip useful ... just evaluates the chip and the loading processes ... not what is loaded). my semi-custom chip had whole bunch of the applications in silicon ... including crypto. since it was part of the silicon chip ... it had to be evaluated as part of the basic chip (the other way avoided having to evaluate a useful deployed chip with actual application). the problem was that there wasn't profile for the crypto for higher level evaluation. I would still claim that my base EAL4+ chip was actually more secure chip than those with higher evaluations ... since I had done with the applications and they evaluated w/o actual applications. not long ago there was presentation on 65 system EAL evaluations ... that claimed 63 had undisclosed/unpublished deviations (i.e. they had unpublished changes to the protection profile being used). In theory, the purpose behind all this is to have apple-to-apple (trusted operation) comparison ... but with majority having various undisclosed deviations ... it is hard to see how they aren't apple-to-oranges. It turns out I was involved in doing some amount of trusted computing stuff as undergraduate in the 60s ... even if I didn't know it was called that at the time ... and I didn't learn about these guys until much later http://www.nsa.gov/research/selinux/list-archive/0409/8362.shtml -- 40+yrs virtualization experience (since Jan68), online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
