JeffOS EAL4+ Secure System

(read my background article first)

JeffOS gets EAL4+ certification… not really.  Primarily because I haven’t created JeffOS.  But hey, I’m thinking about it, so stay with me while I think about what configuration of JeffOS I should submit for evaluation.  What?  Does the evaluated configuration make a difference?  IF JeffOS is evaluated EAL4+, doesn’t that mean all of JeffOS is certified?  I’m afraid not, security super friends.  Take a look at this chart from Windows® and SuSE Linux EAL4+ Workload Comparison:

The above table is extracted from a new Microsoft-sponsored study posted at  The question behind the study was:  “If the assurance level and protection profiles are the same, then is there a practical difference?”  As shown in this chart, there is a vast difference depending on the software included or excluded from  the evaluated configuration.

My original post on how this difference can occur got really long, so I created a separate article to explain The Importance of the “Evaluated Configuration” in Common Criteria Evaluations, allowing me to shorten this entry to just key points.  However, it’s important stuff and a good read, so you should go read the whole thing as intro and then come back here.

In my opinion, there is a big difference in the amount of work that it takes a customer to get from the starting point of these two EAL4+ evaluated systems to full Certification and Accreditation and this is no accident.  The much more useful and practical evaluated configuration in the Windows client/server evaluation (compared with Linux and compared with the previous Windows 2000 evaluation) is a reflection of Microsoft investment, not just in security improvement processes, but in people with security expertise that are helping drive more thoughtful security investments like this one.

So, what should I do?  Should I pay the extra cost to include DHCP and Apache in my evaluation of JeffOS?  Wait, maybe instead, I should strip even more usefulness out of the system and go for EAL7!!!  Then, I could claim JeffOS has an EAL7 certification and leave the responsibility with customers to make it useful by adding on unevaluated components.  Well, maybe not…

Think Security ~ Jeff

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »