From: Bill Stewart <stewarts@ix.netcom.com>
To: cypherpunks@toad.com
Message Hash: b18edfdcbbf7e12c0560ee32a503abe5eac346e3dd5e87a5979ad9f8d9f49b2f
Message ID: <199603220533.VAA29930@ix7.ix.netcom.com>
Reply To: N/A
UTC Datetime: 1996-03-22 15:31:47 UTC
Raw Date: Fri, 22 Mar 1996 23:31:47 +0800
From: Bill Stewart <stewarts@ix.netcom.com>
Date: Fri, 22 Mar 1996 23:31:47 +0800
To: cypherpunks@toad.com
Subject: Re: NT's C2 rating
Message-ID: <199603220533.VAA29930@ix7.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
At 10:21 AM 3/21/96 -0800, David Loysen <dwl@hnc.com> wrote:
>>The fine print says its insecure as soon as its connected to a network.
>Ain't nothing fine about that print. An operating system or piece of
>hardware may be C2 certifiable. But only a complete system in a specific
>configuration can be certified as C2 compliant. The way I read the orange
>book, no system with a network connection can ever be C2.
A system with a network connection _can_ be C2 or higher rated - *if*
it can adequately verify that it knows who its users are. That's hard,
but it's doable, if it restricts access to a limited set of users,
and has enforcement mechanisms to support it. For instance, connection
over an encrypted, crypto-authenticated LAN which can enforce session
ownership or trustably label all data packets could work; you'd typically
do that with some kind of wrapper over IP or TCP and a bullet-proofed OS
interface.
It's far cleaner if you can do networking in user space rather than the kernel;
I think the UUCP-equipped configurations for AT&T's B1-rated System V/MLS
were part of the rated configuration, though it's been a while since I've
been near that world. It's also easier if you limit each system (or at
least level)
to one local user per machine so machine ID tells you user ID. Compartmentd
Mode Workstations were just coming out when I last did that stuff, so I
don't know quite how much of the Red Book they implement, but they had
goals of supporting networked above-B1 computing.
#--
# Thanks; Bill
# Bill Stewart, stewarts@ix.netcom.com, +1-415-442-2215 pager 408-787-1281
# "At year's end, however, new government limits on Internet access threatened
# to halt the growth of Internet use. [...] Government control of news media
# generally continues to depend on self-censorship to regulate political and
# social content, but the authorities also consistently penalize those who
# exceed the permissible." - US government statement on China...
"SigFiles of Unusual Size? I don't believe they exist!"
Return to March 1996
Return to “Bill Stewart <stewarts@ix.netcom.com>”
1996-03-22 (Fri, 22 Mar 1996 23:31:47 +0800) - Re: NT’s C2 rating - Bill Stewart <stewarts@ix.netcom.com>