Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat Pushes For CC Certification By Year's End

Posted by timothy on from the stampede-of-approval dept.

Ridgelift writes "This article indicates Red Hat Linux is about to receive certification under the Common Criteria (CC) Scheme worldwide. This has been a long road for Red Hat, and 'once successfully certified in the UK, Red Hat products will be recognised as certified and approved by information security agencies from all 19 countries participating in the Common Criteria program.' This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX."

5 of 183 comments (clear)

  1. Re:Windows 2000 is certified as well by calebtucker · · Score: 5, Insightful

    Yeah, I kinda scratched my head when I saw a microsoft O/S at EAL4+. I think the CC is more about validating the core of the operating system. As you add more software to a system, it's going to become more vulnerable (*cough* IE, outlook, IIS *cough*).

    --
    My sig can beat up your sig.
  2. Re:Windows 2000 is certified as well by Jeremiah+Cornelius · · Score: 5, Insightful
    CC is restricted to VERY specific implementations.

    No deviation is allowed from the exact hardware, software and network configuration that is the certification target. Yes, this includes additional security patches. That would constitute a new platform for certification - at an additional expense of may hundreds of thousands USD.

    I suppose that it makes a decent benchmark of sorts. Still, its mainly a diligence measure for getting into Govt purchasing schedules, and has little to do with a practical or useful evaluation of the actual security of an OS.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  3. Playing the corporate game by Ricin · · Score: 4, Insightful

    One more useless qualification-paid-for-sign-dotted-line.

    People should really get it through their skulls that this is not going to help and that talent may not be in their brokerage system already when looking for it (and so they miss out).

    One more example of commodifying the _wrong_ thing. Can pay in the short term but ughugh the longer term....

    When something happens, formalizing it usually means restricting it from "just" happening further. Mkay ;-)

  4. Re:Windows 2000 is certified as well by Jeremiah+Cornelius · · Score: 4, Insightful
    Johnboy,

    I'm pretty familiar with the NIST publications on the subject. I use the NIST standrds as testing guidelines on a near daily basis. I readily attest to the value of these.

    CC testing of implementations are not portable to diferent environments, and unless you duplicate the testing platform and environment as spec'ed, you are not running a certified platform.

    No one is likely to ever run the spec'ed platform/environment.

    It is a benchmark - like any other. Good for selling to the Government markets that have established CC.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  5. What do you mean? by pr0ntab · · Score: 3, Insightful

    The CC label is REQUIRED for some government computer work for which linux is perfectly suited, but until recently had to be passed up. We could use Trusted Solaris (yawn) or Win2K (barf). Then came SuSe, but we liked RedHat better. Now we will be able to have RedHat in the mix, which should keep things interesting.

    It's not so much that the people who actually check the security care what OS it is... it's the people who approve the classification of information systems, etc. you know, pencil pushers, that give a shit about the Common Criteria cert on XYZ software.

    I'm glad RedHat finally scrounged up some money from under the couch to remove this roadblock.

    --
    Fuck Beta. Fuck Dice