[clug] Any Public Service organisations using Linix desktop and Open Office?

Tomasz Ciolek tmc at vandradlabs.com.au
Wed Jul 2 10:52:42 GMT 2008


On Wed, Jul 02, 2008 at 10:07:02AM +0200, Kim Holburn wrote:
> Evaluation assurance level 1 (EAL1) - functionally tested
> Evaluation assurance level 2 (EAL2) - structurally tested
> Evaluation assurance level 3 (EAL3) - methodically tested and checked
> Evaluation assurance level 4 (EAL4) - methodically designed, tested, and 
> reviewed
> Evaluation assurance level 5 (EAL5) - semiformally designed and tested
> Evaluation assurance level 6 (EAL6) - semiformally verified design and  
> tested
> Evaluation assurance level 7 (EAL7) - formally verified design and  
> tested
>
> Wow, Windows is methodically designed, tested and reviewed?

Actually the only bits tested are the one's speficied in the Target of
Evaluation, which are narrow, and tied down with configuration caveats
and sometimes even underlying hardware.

As soon as you chnage the configuration of the tested/evaluated aspects form the one in the ToE, your system is no longer certified.

Exmaple: for many years CISCO PIX firewalls were evaluated as EAL4, but
without IPSec VPN, SSH, or NAT. Also evaluatyion covered specific
software versions. Turn on any of those and youre no lonegr runnig and
evaluted firewall. Upgrade version beyond a certail limit, and youre no
longer evaluated, etc, etc... 

Tomasz


-- 
Tomasz M. Ciolek	
*******************************************************************************
 tmc at vandradlabs dot com dot au 
*******************************************************************************
   GPG Key ID:		0x41C4C2F0
   GPG Key Fingerprint: 3883 B308 8256 2246 D3ED  A1FF 3A1D 0EAD 41C4 C2F0
   Key available on good key-servers
*******************************************************************************


More information about the linux mailing list