From: Jason Zions <jazz@hal.com>
Date: Fri, 24 Sep 93 08:37:37 PDT
To: cypherpunks@toad.com
Subject: Re: P. Wayner on CSSPAB meeting
Message-ID: <9309241531.AA13351@jazz.hal.com>
MIME-Version: 1.0
Content-Type: text/plain


Mr. "Hyperbole-R-Us" Detweiller said:

>>A group of computer scientists from NIST came to discuss their plan
>>for the Federal Criteria for secure systems and the new "Common
>>Criteria" that may emerge. This is an updated version of the old
>>Orange Book classification scheme of C2 and B1 and stuff like that.
>>The scientists said the draft is being finished but it isn't ready
>>for release. But now, they're working on "Something Better." This
>>is a new plan to standardize the grading of secure systems with 
>>other countries and evolve a "Common Criteria." In general, the 
>>board groused about the fact that the public and industry have never
>>been invited to give comments during the process. The summary
>>of this talk is: "We might be able to tell you something someday." 
>
>`other countries'? `Common Criteria'? holy cow, this is something *very
>big* in the works. The U.S. can barely figure out its *own*
>cryptographic policies, and imagine the sheer logistical nightmare of
>trying to come to an agreement between the most isolated and imperious
>agencies!

It's a shame you understand so little of this.

The "Federal Criteria" they're discussing are the Trusted Computer Security
Evaluation Criteria, or TCSEC. This is also called the "Orange Book", since
it was published in an orange cover. It's a purely-US DOD document that
defines various levels of computer security - you remember, C2, B1, B3, all
that stuff. It talks about Mandatory Access Controls, Discretionary Access
Controls, Auditing, Authentication, etc.

Cryptography as such is not addressed by the TCSEC. I believe the TCSEC
discusses cryptographic authentication techniques in an abstract manner, but
not even to the degree of naming any.

The UK and other European countries have their equivalent to the TCSEC. The
security levels have different names, and the included features differ
slightly. The EC recognized that this difference in nomenclature and
definitions would act as a barrier to free trade, so they began a program
to harmonize these definitions. The "Common Criteria" would take this EC
stuff beyond Europe into the US, allowing vendors of secure systems to get
them rated once and sell them in a bunch of countries instead of building
country-specific secure systems as they are required to do today.

Another aspect of the Common Criteria is that they are expected to be a
little more commercial in focus. The TCSEC and its counterparts were
generally developed by the Defense organizations within their respective
countries of origin; the focus of control and security reflects the needs of
the developing organizations. Commercial users have been complaining for
years that the TCSEC et al don't meet their needs in a useful and flexible
manner; one desired goal for the Common Criteria is to meet this need.

Cryptography is almost completely unrelated to the actual criteria
themselves. Cryptography is one possible implementation mechanism for
several of the capabilities required by the TCSEC and its successors; it is
not the only such mechanism. The TCSEC does not prescribe or proscribe
implementation technology.

> I suspect GCHQ (Britain's NSA) would be involved in this at
>least. (There is a very cozy relationship between NSA and GCHQ that
>Kahn was harassed for revealing in _CodeBreakers_.)What other agencies?

The TCSEC and Common Criteria are really being developed by various Defense
agencies; in the US, NIST is also involved, as I suppose DIN, BSI, AFNOR,
etc. are. NSA is uninterested in making systems secure; their job is to
break them anyway. Since the TCSEC doesn't specify mechanism, it's at too
abstract a level for NSA to tamper with.

There are no boogie men from the Spy House involved here, at least in the
US. You can sleep well again.

Jason Zions