cszrhodes@qut.edu.au (Tony Rhodes) (02/19/91)
First of all, apologies if you have seen this message before and/or some of my test posts. Having some problems with the mailer. At the moment I am working on a paper with some other people concerning the security of HP-UX. The paper is along the theme of evaluating the security provided by HP-UX from a non-privileged user perspective using the criteria discussed in the European "White Book", Information Technology Security Evaluation Criteria (ITSEC). What we wish to verify are the claimed TCSEC "Orange Book" ratings for HP-UX 6.0 C1 ?? HP-UX 7.0 C2 ?? HP-UX 8.0 >C2 ???? Also, can anyone verify if and when HP recieved its certificate with the appropriate rating and official seal from the NCSC for each of these versions. Finally, what security changes/additions did HP have to make to HP-UX to achieve each of the ratings for the particular versions. I will post a summary of responses to the net if sufficient interest is shown. Please reply by direct e-mail. Thank you in advance.
jfh@rpp386.cactus.org (John F Haugh II) (02/19/91)
In article <1991Feb18.165006.24108@qut.edu.au> cszrhodes@qut.edu.au (Tony Rhodes) writes: >Also, can anyone verify if and when HP recieved its certificate with the >appropriate rating and official seal from the NCSC for each of these >versions. I'm posting this because companies now seem to think that making unsupported claims regarding security evaluations is something they can get away with. To the best of my knowlege, HP has never received a formal letter on any of their products. In any case, you can always request a copy of the final evaluation from your sales representative or directly from the NCSC. The address of the NCSC is National Computer Security Center 9800 Savage Road Fort George G. Meade Maryland 20755-6000 You may wish to begin by asking for a copy of the "Evaluated Products List". I =strongly= encourage anyone being told by their sales representative that the software they are about to purchase has some "Orange Book Letter" to immediately request a copy of the final evaluation. They are incredibly dry reading, but you can't get one unless the product is really formally evaluated - blue letters don't count. I will say that "C1" is pretty trivial, as is "C2" - however, there is functionality which must be present at even those very low levels, and I am doubtful about how close to even "C1" or "C2" an unrated product is going to be. Note also, that without having been submitted for evaluation, even an unrated product does not merit a "D" (the lowest) rating. -- John F. Haugh II UUCP: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 832-8832 Domain: jfh@rpp386.cactus.org "I've never written a device driver, but I have written a device driver manual" -- Robert Hartman, IDE Corp.