[ Linux Today reader TC
writes: ]
For Linux Today readers, you might be interested that Microsoft
has recieved C2 certification. Go to http://www.microsoft.com/security/issues/c2summary.asp
for more information.
“On December 02, 1999, the US Government announced that
Microsoft Windows NT Server and Workstation 4.0 had completed a
successful evaluation at the C2 level according to the Trusted
Computer System Evaluation Criteria (TCSEC). The TCSEC, more
familiarly known as the “Orange Book”, is perhaps the best-known
governmental evaluation process for IT systems. C2 is widely
acknowledged to be the highest evaluation rating that can be
achieved by a general-purpose operating system. The Windows NT 4.0
evaluation included servers and workstations in six different
roles, operating in both TCP/IP networked and stand-alone
modes.”
Seeing that Linux has not achieved C2 certification or FIPS-140
certification, I am sure Microsoft will be using this in upcoming
“marketing” as a reason why NT is better than Linux. While it may
make for good “marketing”, we all should remember that security is
“tough” work.
I personally would like to see Linux address C2 and FIPS-140
certification since it is becoming a daily deciding factor in U.S.
Goverment (especially DoD) purchasing decisions. Up to this point
only Netscape on Solaris has been FIPS-140 Level 2 certified, and I
am sure now Microsoft will be pushing to have NT running IIS run
more external Government Web Services, which for organizations that
enforced the FIPS-140 requirement has been a stumbling block for
Microsoft.
I am sure the comments will be numerous. I would hope readers
who concentrate on the underlying issue, however, of placing Linux
before Government testers and get it certified, also.