Re: [Fed-Talk] Apple Hardware no non-volatile memory certification
Re: [Fed-Talk] Apple Hardware no non-volatile memory certification
- Subject: Re: [Fed-Talk] Apple Hardware no non-volatile memory certification
- From: Bob Colbert <email@hidden>
- Date: Wed, 5 May 2010 14:06:02 -0400
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Apple Hardware no non-volatile memory certification
Title: Re: [Fed-Talk] Apple Hardware no non-volatile memory certification
Shawn,
Thank you for the time to respond to this. This information is very helpful to get our Mac systems approved by DSS and be NISPOM compliant.
Coincidentally, I just saw one of your Apple website videos about Smart Card security because I was looking for a potential Smart Card solution for our ECA PKI certificates for DoD Contractors. I have had the software-based certificates that are expiring at the end of the month, and I was looking to see what was involved for the Smart Card solution with a corporate photo ID.
I guess I have a follow-up question, more regarding PKI certificates, than your original reply about the Volatility Statement and Security Classification Guides. As I said, it was just coincidental that you appear to be involved with both. As more and more of our DoD communications become encrypted, I think there definitely needs to be iPhone/iPad support for reading encrypted (S/MIME) emails. Pretty soon, I will be getting more "this email cannot be read on this device" messages on the iPhone/iPad (I have both, love them).
I saw in the iPhone OS 4 presentation that there will be support for encrypted emails, however I think that was more based on the device password as the key, rather the PKI infrastructure that is required for DoD communications. Maybe there is going to be support for that in iPhone OS 4, but the preliminary release info didnt seem to indicate that. Perhaps the problem is how/where to get the keys into the device and securely stored on it. Maybe there could be a 30-pin connector gadget, much like the USB keys that store PKI certs that can be plugged into the bottom of the device to read/send encrypted emails. Does Apple just plan to have the infrastructure built into the iPhone 4 OS or is it up to 3rd party developers to fill in this need?
Do you have any insight that can provide on this, or should I just "wait and see"?
Thanks again,
Bob Colbert
On 5/5/10 2:44 AM, "Shawn A. Geddis" <email@hidden> wrote:
On May 4, 2010, at 3:16 PM, Bob Colbert wrote:
Is there a website/letter that shows that Apple Hardware (specifically a MacMini) contains no non-volatile memory after a power down? Internal hard drives have been removed/stored separately. I know Dell can provide a "letter" guaranteeing this, but Im not sure if Apple does this as well.
Also, does any know when the Apple Security Configuration Guide for Snow Leopard is due out? How does the Apple SCG compare/contrast to the Common Criteria Guide?
Thanks.
-----
Bob Colbert
DE Technologies
<mailto:email@hidden> <mailto:email@hidden> email@hidden <mailto:email@hidden>
Bob,
It appears that the description / reference to Volatility Statements was lost in recent updates made to the Government web page located at: http://www.apple.com/business/solutions/it/government.html
Federal Government representatives can send an email message to "email@hidden" and request a Volatility Statement for Apple Products.
What is needed in the request is at least ONE of the following:
• Product Serial Number (ie. W891302D7XZ)
• Product Part Number (ie. MB449LL/A)
• Product Model Number (ie. A1279)
Apple / NSA Security Configuration Guide for Snow Leopard is expected to be publicly available within the next week or two. Its prior release has been impacted by a few non-technical unexpected delays which have been addressed.
Common Criteria is a Certification of products against various Protection Profiles at an Evaluated Assurance Level. As of December 16, 2009, Mac OS X 10.6 and Mac OS X Server 10.6 were re-certified against CAPP at EAL3 augmented by ALC_FLR.3, CC part 3 conformant. Previously, Mac OS X 10.3.6 and Mac OS X Server 10.3.6 were also certified against CAPP at EAL3 in January, 2005.
The Common Criteria Admin Guides is generated and used for the proper understanding and to operate the TOE in its evaluated configuration. The Security Configuration Guides are a comprehensive overview and baseline configuration guidance for the reference product. These security configuration guides are maintained and vetted through a collaborative effort between Apple Inc. and the National Security Agency. These are two distinct guides with differing intent, however, the CC Admin Guide is referenced by the SCG.
- Shawn
_____________________________________________________
Shawn Geddis - Security Consulting Engineer - Apple Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden