Dave's Bit Bucket

Dave Walker's jottings - mostly pertaining to security

All | Cooking | General | Java | Networking | Security

« Previous day (Dec 17, 2006) | Main | Next day (Dec 18, 2006) »
20061218 Monday December 18, 2006

Solaris 10 03/05 Gets Common Criteria Certification

This is probably the best news I've had to start a week with, for some considerable time :-).

As Jim Laurent blogs, getting through Common Criteria is a significant achievement for a product - particularly when the Protection Profiles include more than just CAPP (which does not assume hostile intent on the part of an authorised user) and includes assurance to at least EAL4, which is the first level to include investigation of product design documentation.

As a further addendum to Jim's article, it's worth noting that "EAL4+" is a little bit of a hack resulting from the agreement which set up Common Criteria in the first place; all the countries which agreed to make ITSEC, TCSEC etc obsolete in favour of Common Criteria did so on the condition that every nation within the scheme would agree to honour any evaluation and certification up to EAL4 which was performed in another signatory country, but EAL5 and up would require re-verification on "home turf".

In reality, "EAL4+" is the highest internationally-transferrable assurance level; while we could conceivably have had Solaris certified to a higher level, transferrability is why this doesn't tend to happen.

As Jim also mentions, Solaris 10 has RBACPP certification as well as CAPP; Trusted Solaris 8 also has LSPP certification, and Solaris 10 11/06 with Trusted Extensions is currently in evaluation against all of CAPP, RBACPP and LSPP.

If anyone tries to foist the idea on you that their product is "EAL4+" or whatever, always ask them what Protection Profiles they are certified against - a CC certification always comprises a tuple of at least one Protection Profile and an Assurance Level. Granted, the PP may be written by the vendor (which might cause the final certification to carry less weight than if certifying against CAPP, RBACPP, LSPP or any of the other profiles available here, which were mostly written by the NSA), but it's always a tuple.

I'll reiterate Jim's congratulations to our Certification team; they've delivered successfully on a Really Hard Job. Hats off, folks!

Update:

The nice folk at CSE, who did the evaluation for us, have now posted a useful page at http://www.cse-cst.gc.ca/services/ccs/solaris10-e.html.

This contains the Target of Evaluation (TOE) and Certification Report documents, and a soft copy of the Certificate. Significantly, for folk interested in using Zones in Solaris 10, the TOE explicitly states that Zones are part of the TOE, and therefore Zone segregation is covered by the evaluation :-).

(2006-12-18 07:14:00.0) Permalink Comments [1]

Calendar

« December 2006 »
MonTueWedThuFriSatSun
    
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
       
Today

RSS Feeds

XML
All
/Cooking
/General
/Java
/Networking
/Security

Search

Links

Innovate on OpenSolaris

  Read via bloglines :
British Blog Directory.


Navigation


blogs.sun.com
Weblog
Login


Referers

Today's Page Hits: 215