geoff@dragon.ism.isc.com (Geoffrey Kimbrough) (12/07/90)
In article <BIGNUM!> mason@oct1.UUCP (David Mason) writes: >In article <2318@tabbs.UUCP> aris@tabbs.UUCP (Aris Stathakis) writes: >>What's wrong with that is that it isn't C2. The C2 standard states that >>it must be included in the product, and you cannot have the same product >>without the C2 security - or else it does not constitute C2. >I'm having a hard time swallowing this one. In the list of optional > [...] >My faith in ISC is such that I cannot believe that they would do that. >Aris, can you back up your claims with some quotes from a definitive >reference, such as the orange book? Standards' documents are funny things. Unless the wording is Absolutely Iron-Clad Unambiguous, there *will* be differing interpretations. Our Orange book scholars told us that we could *not* make a system that was capable of being C2 one day and then not C2 later, so we made a subset that cannot be *removed* once it's installed. SCO's scholars apparently had a different reading. Since both companies have made sales, and neither have been sued by the government, apparently either plan is allowable. One thing seems clear. It is *not* the software in the box that is Certified C2 Secure, it's an installed system that must be certified. I doubt it matters much for C2, but for B1 or B2, it would be. Only after the system was installed and configured is it's level of security certifiable. For one thing, the Orange book has things to say about the physical setup, where the screens are in relation to windows and doors, the locks on the doors, the composition of the walls surrounding the terminals, etc. etc. Since neither ISC nor SCO sell hardware, it's not an issue to either of us, only our customers can deal with that kind of stuff. Despite the official sounding information in this article, please do not take any of this as official ISC policy or information. I do not speak for ISC or kodak or SecureWare, certainly I don't speak for SCO! In fact, I don't speak at all, I'm just an AI virus planted by a random hacker, yeah, that's it! Geoffrey Kimbrough -- Senior System Therapist INTERACTIVE Systems Corporation -- A Kodak Company I think machines and clocks have secret motives, but then again... Maybe they're made that way.
jfh@rpp386.cactus.org (John F Haugh II) (12/07/90)
In article <1990Dec06.192754.22631@ism.isc.com> geoff@dragon.ism.isc.com (Geoffrey Kimbrough) writes: > For one thing, the Orange >book has things to say about the physical setup, where the screens are in >relation to windows and doors, the locks on the doors, the composition of the >walls surrounding the terminals, etc. etc. Not to pick nits, but unless you are refering to parts of the Rationale, there is no part of the Criteria which say anything about doors and windows, etc. Do you have a page and paragraph to cite from? -- John F. Haugh II UUCP: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 832-8832 Domain: jfh@rpp386.cactus.org