From: “Paul H. Merrill” <paulmerrill@acm.org>
To: Iain Collins <icollins@scotland.net>
Message Hash: ce8855776dc4ed4d3050e4da86adb9028a82dbc1d621d1716992f06d3b9de243
Message ID: <3574553D.3F0BE65A@acm.org>
Reply To: <002301bd8e39$c8b18880$c7f3b094@webadmin.sol.co.uk>
UTC Datetime: 1998-06-02 16:37:48 UTC
Raw Date: Tue, 2 Jun 1998 09:37:48 -0700 (PDT)
From: "Paul H. Merrill" <paulmerrill@acm.org>
Date: Tue, 2 Jun 1998 09:37:48 -0700 (PDT)
To: Iain Collins <icollins@scotland.net>
Subject: Re: Counterpane Cracks MS's PPTP
In-Reply-To: <002301bd8e39$c8b18880$c7f3b094@webadmin.sol.co.uk>
Message-ID: <3574553D.3F0BE65A@acm.org>
MIME-Version: 1.0
Content-Type: text/plain
Iain Collins wrote:
<<snip>>
> I beleive that no operating system has ever been given a C2 certification,
> and that only indiviual installations can be certifed.
>
Both Right and WrongC2 (or other) certification is given to a product system,
not an OS nor an installation. NT on a specific configuration of a specific
manufacturer, fo instance. (and with a specific mix of other software) The
intent was to make available Commercial Off The Shelf (COTS) systems for gov
purchase.) But the concept was generated in the mainframe/Mini frame of mind.
> This requries that each installation be transported and conducted under
> armed guard, which is case with certain US government Microsoft NT
> Workstation installations.
>
> It is also stated (somewhere, but I don't have the details to hand) that no
> C2 rated system should be plugged in to an external network connection (i.e.
> the internet), and that only connections to secure LAN's/WAN's are permitted
> (otherwise the C2 certification is meaningless, hence why NT Sever has never
> been C2 certified IIRC).
>
The network issue is one with deep ramifications and not as simple as listed in
the above Para. Two totally secure nets can be not secure when connected to
each other because of the data interface for security levels, user permisisions
etc.
> I would be grateful if anyone can categorically deny or in any way support
> this.
>
NCSC has a whole line of books on it all. Red is the Network Interpretation,
Orange is the Criteria itself.
> <<SNIP>>
PHM
author, NOT the Orange Book -- A Guide to the Definition, Specification,
Tasking, and Documentation for the Development of Secure Computer Systems --
Including Condensations of the Memebers of the Rainbow Series and Related
Documents, Merlyn Press, WPAFB, 1992
NTOB is available for those who want it.
Return to June 1998
Return to “Xcott Craver <caj@math.niu.edu>”