Re: [Fed-Talk] EAL3 v EAL4
Re: [Fed-Talk] EAL3 v EAL4
- Subject: Re: [Fed-Talk] EAL3 v EAL4
- From: Brian Raymond <email@hidden>
- Date: Mon, 20 Jun 2005 08:36:36 -0400
On 6/19/05 11:18 PM, "Shawn Geddis" <email@hidden> wrote:
> On Jun 18, 2005, at 10:27 AM, Ran Atkinson wrote:
>> Personally, I find the improved audit support to be very helpful.
>> I do wish Apple would look into EAL4 certification, simply because
>> other competitors have EAL4 already (or in some cases are actively
>> being evaluated under EAL4). Lack of EAL4 is going to be a risk
>> for Apple that EAL4 would be used to prevent Apple systems from
>> being procured under some RFP or deployed in some environments.
>> (That said, I'm very happy that they have EAL3 already. :-)
>
> Since EAL4 does not indicate that it is more secure than EAL3, what
> specific Security Functions are critical for Certification within
> your environments ?
That gets right back to the discussion we had when you announced EAL3
certification. A number of other vendors have already attained EAL4 and it's
"higher" then 3. I'm not sure about others but in a number of projects I've
worked EAL4 is where the line is always drawn. Specific security functions
are not part of the equation at that point, the purpose for stating EAL4 or
above is because there is some confidence at the PM level in what's being
used given it's certification.
As of now that leaves me with Solaris and Windows along with some purpose
built OSes. A couple of Linux distros are undergoing CAPP/EAL4 and I know
one is also attempting LSPP.
Without knowing the specific details I think OSX couldn't have reached
CAPP/EAL4 because you lacked fine grained auditing. That was Linux' failing
as well until the audit framework made it into the kernel.
- Brian
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden