Talk:Security-evaluated operating system

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computer Security / Computing   
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
 ???  This article has not yet received a rating on the project's quality scale.
 ???  This article has not yet received a rating on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.
 
WikiProject Software / Computing   
WikiProject icon This article is within the scope of WikiProject Software, a collaborative effort to improve the coverage of software on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
 ???  This article has not yet received a rating on the project's quality scale.
 ???  This article has not yet received a rating on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.
 

IBM AIX 5l V5.3 is also Certified for CAPP/EAL4+


Wouldn't it make sense to suspend this?[edit]

This article is very misleading, and out of date. Wouldn't it make sense to put some warning at the top? It doesn't even include the Snowden revelations - somebody reading this might be misled to believe that microsoft systems, or any other closed-source systems, can be secure. — Preceding unsigned comment added by Fustbariclation (talkcontribs) 16:24, 12 October 2014 (UTC)

Is this article still up to date?[edit]

No - material is ancient, have a summary of vendors will update this with. CC had changed significant and we need to add FIPS 140-2 as part of OS evaluation story. Full Disclosure - my day job is working with one of these OSes, I will be impartial, but wanted to be clear I can be perceived as having a bias.

As I understand it, different vendors are looking for or have got EAL 4 evaluation.

Just a few references out of many:

(Old comment on Windows certification) http://archives.neohapsis.com/archives/risks/2002/0055.html

(Now Windows and SUSI seems to be certified against the same Common Access Protection Profile) http://whitepapers.zdnet.co.uk/0,1000000651,260280271p,00.htm?r=7

(Also RedHat seems to have a certified version) http://www.webwire.com/ViewPressRel.asp?aId=39796 http://www.informationweek.com/showArticle.jhtml;jsessionid=G11XGSWCNNNUMQSNDLPSKHSCJUNN2JVN?articleID=171202290&queryText=eal4

(Rivals Sun, Red Hat, and Novell busy with securing) http://www.informationweek.com/showArticle.jhtml;jsessionid=G11XGSWCNNNUMQSNDLPSKHSCJUNN2JVN?articleID=180202469&queryText=eal4

(And I don't know where they are today) http://www.linuxdevices.com/news/NS1971174872.html

EnGarde?[edit]

Why is this linked to in the "See also"? As far as I can tell, EnGarde has no security certification, so it seems to have no more relevance to this article than any other OS that has been developed with security in mind. S. Ugarte (talk) 21:34, 15 December 2008 (UTC)

Looks like that contributor went through and pimped EnGarde in a bunch of articles where it isn't so relevant. I'm going to go through and clean these up, because it looks a lot like commercial promotion to me (EnGarde is not such a big-time Linux distro that it deserves a unique See Also as a "Unix-like OS", for example). S. Ugarte (talk) 21:42, 15 December 2008 (UTC)

Terminology[edit]

The description for Trusted Solaris 8 includes:

Trusted Solaris Version 8 received the EAL4 certification level augmented by a number of protection profiles

This seems to imply that the evaluation is all about the assurance level, and just for additional swank, you can add "protection profiles" as a kind of set of merit badges.

My interpretation, which could admittedly be way off base, is that this is somewhat backwards: the protection profiles describe what you're evaluating (the security properties such as access control), and the EAL describes how rigorously this evaluation has been conducted. Of further importance is the Target of Evaluation, which describes the scope of the evaluation -- that is, how much of the actual OS was tested. Does this sound right?--NapoliRoma (talk) 15:06, 3 April 2009 (UTC)