Re: NT's C2 rating
At 5:11 PM 3/22/96 -0600, Rick Smith wrote:
The big deal is that few vendors have tried to get NCSC evaluations.
We walked KeyKOS a long way down the path to a B2 rating. Our investors refused to fund the estimated $1 million it would cost to do all the paperwork. They felt there was no market for NCSC secure systems. Perhaps others felt the same way. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA
On Sat, 23 Mar 1996, Bill Frantz wrote:
At 5:11 PM 3/22/96 -0600, Rick Smith wrote:
The big deal is that few vendors have tried to get NCSC evaluations.
We walked KeyKOS a long way down the path to a B2 rating. Our investors refused to fund the estimated $1 million it would cost to do all the paperwork. They felt there was no market for NCSC secure systems. Perhaps others felt the same way.
Hopefully, with the Common Criteria replacing the Orange Book (pray, this year), you'll now be able to evaluate against a profile for a lot less money. And, believe it or not, customers will actually get security products they need instead of another instance of the Bell-LaPadula model crafted to military specs. ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich@grci.com | | STOP THE CDA NOW! |MAldrich@dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich@grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | -------------------------------------------------------------------------
Mark Aldrich writes:
On Sat, 23 Mar 1996, Bill Frantz wrote:
At 5:11 PM 3/22/96 -0600, Rick Smith wrote:
The big deal is that few vendors have tried to get NCSC evaluations.
We walked KeyKOS a long way down the path to a B2 rating. Our investors refused to fund the estimated $1 million it would cost to do all the paperwork. They felt there was no market for NCSC secure systems. Perhaps others felt the same way.
Hopefully, with the Common Criteria replacing the Orange Book (pray, this year), you'll now be able to evaluate against a profile for a lot less money. And, believe it or not, customers will actually get security products they need instead of another instance of the Bell-LaPadula model crafted to military specs.
Well, I haven't exactly been "plugged in" to the development of the CC but given the sheer size of the criteria (I just downloaded it, killing a small tree to print its more than 1000 pages), I'm curious to know why you think evaluations will be so much less expensive. At first glance, some of the requirements seem a little more specific and the evaluation process a bit more flexible, but evaluating an entire OS, for example, is still going to take many man-years (excuse me, person-years) of engineering labor. And then, when you're done, still nobody will want what you've got since it will inevitably be two releases behind the "non-secure" version and you will have thrown out some pieces where it was too much trouble to make them work "securely". It appears to me that the main difference is that your system will be unwanted in several different countries at once. :-) -- Jeff
participants (3)
-
frantz@netcom.com -
Jeff Barber -
Mark Aldrich