Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Bret S. Lambert]

On Mon, Feb 22, 2010 at 04:04:39PM +0200, Aram H??v??rneanu wrote:
> On Mon, Feb 22, 2010 at 3:51 PM, Aram HDvDrneanu <ara...@mgk.ro> wrote:
> > EAL4 is meaningless. The auditor is not required to view the software
> > in any way (binary or source). Any vendor with money can get its OS to
> > be certified at least at EAL 4 because all that means is that the OS
> > has some mechanisms in place for implementing security. It does not
> > guarantee that those mechanisms really work or that the OS is not full
> > of security holes.
> >
> > Security certifications are futile. At best, they can certify the
> > *model*, not the *implementation*. I seriously doubt .mil or .gov has
> > such requirements for high security networks. I see this kind of
> > nonsense in the Enterprise world.
> >
>
> Besides what's written above. EAL is meaningless unless you read the

Technically meaningless, yes, but managerially meaningful in some
cases, as there are organizations which require some level of
certification for software to be used "off-the-shelf".

Would it be useful for OpenBSD to get some sort of certification
level for this purpose? Possibly.

Is it going to happen unless somebody absolutely needs it in order
to deploy a solution? No.

Unless some benefactor is willing to come forward and deal with the
logistical headache of doing the paperwork and keeping it all as
up to date as it needs to be, it's not going to happen, even if
getting an EAL meant ponies, rainbows, and money trees for everybody.

> Protection Profile. EAL is the assurance level *against* the
> protection profile. If your PP specifies only that in your systems,
> users login using passwords you can easily get EAL7, but that would be
> so meaningless...
>
> --
> Aram HDvDrneanu