Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat Pushes For CC Certification By Year's End

Posted by timothy on from the stampede-of-approval dept.

Ridgelift writes "This article indicates Red Hat Linux is about to receive certification under the Common Criteria (CC) Scheme worldwide. This has been a long road for Red Hat, and 'once successfully certified in the UK, Red Hat products will be recognised as certified and approved by information security agencies from all 19 countries participating in the Common Criteria program.' This means Red Hat will sit alongside Sun Solaris, HP-UX and IBM's AIX."

4 of 183 comments (clear)

  1. Re:Windows 2000 is certified as well by calebtucker · · Score: 5, Insightful

    Yeah, I kinda scratched my head when I saw a microsoft O/S at EAL4+. I think the CC is more about validating the core of the operating system. As you add more software to a system, it's going to become more vulnerable (*cough* IE, outlook, IIS *cough*).

    --
    My sig can beat up your sig.
  2. Re:Windows 2000 is certified as well by Jeremiah+Cornelius · · Score: 5, Insightful
    CC is restricted to VERY specific implementations.

    No deviation is allowed from the exact hardware, software and network configuration that is the certification target. Yes, this includes additional security patches. That would constitute a new platform for certification - at an additional expense of may hundreds of thousands USD.

    I suppose that it makes a decent benchmark of sorts. Still, its mainly a diligence measure for getting into Govt purchasing schedules, and has little to do with a practical or useful evaluation of the actual security of an OS.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  3. Playing the corporate game by Ricin · · Score: 4, Insightful

    One more useless qualification-paid-for-sign-dotted-line.

    People should really get it through their skulls that this is not going to help and that talent may not be in their brokerage system already when looking for it (and so they miss out).

    One more example of commodifying the _wrong_ thing. Can pay in the short term but ughugh the longer term....

    When something happens, formalizing it usually means restricting it from "just" happening further. Mkay ;-)

  4. Re:Windows 2000 is certified as well by Jeremiah+Cornelius · · Score: 4, Insightful
    Johnboy,

    I'm pretty familiar with the NIST publications on the subject. I use the NIST standrds as testing guidelines on a near daily basis. I readily attest to the value of these.

    CC testing of implementations are not portable to diferent environments, and unless you duplicate the testing platform and environment as spec'ed, you are not running a certified platform.

    No one is likely to ever run the spec'ed platform/environment.

    It is a benchmark - like any other. Good for selling to the Government markets that have established CC.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."