From: hallam@w3.org
To: Bill Stewart <cypherpunks@toad.com
Message Hash: 6b8b99c37f5ee6563aec28de921098d0f0b517775bcebdf6aa5aa128c6619b8f
Message ID: <9509272102.AA21900@zorch.w3.org>
Reply To: <199509261856.LAA24022@ix6.ix.netcom.com>
UTC Datetime: 1995-09-27 21:02:59 UTC
Raw Date: Wed, 27 Sep 95 14:02:59 PDT
From: hallam@w3.org
Date: Wed, 27 Sep 95 14:02:59 PDT
To: Bill Stewart <cypherpunks@toad.com
Subject: Re: Hack Microsoft NT C2 Rating?
In-Reply-To: <199509261856.LAA24022@ix6.ix.netcom.com>
Message-ID: <9509272102.AA21900@zorch.w3.org>
MIME-Version: 1.0
Content-Type: text/plain
>I'm more surprised by the rating since the Orange Book is basically
>for non-networked systems; Red Book rating is _much_ harder, unless
>the NSA's taking a different view of trustability of software encryption
>for authentication purposes than they used to.
I'm a little sceptical as to the relevance of C2. It is a set of criteria that
is now very old and concerns military security where people can be told what to
do. One way in which securoty systems often fail is in the security structure
being so suffocating that people have to poke air holes in it so they can
breathe.
I think that c2 is possibly the limit of orange/red bookishness that is
reasonable to work to. It is not a trivial level of security however, UNIX
despite all the claims has never been shipped as C2 secure as standard by a
mainstream vendor. Even requirements involving trivial effort but which are
extreemly important such as the writing of a users security guide have never
been taken seriously on any of the UNIX platforms on which I have worked.
Phill
Return to September 1995
Return to “Jeff Barber <jeffb@sware.com>”