(read my background article first)
JeffOS gets EAL4+ certification… not really. Primarily because I haven’t created JeffOS. But hey, I’m thinking about it, so stay with me while I think about what configuration of JeffOS I should submit for evaluation. What? Does the evaluated configuration make a difference? IF JeffOS is evaluated EAL4+, doesn’t that mean all of JeffOS is certified? I’m afraid not, security super friends. Take a look at this chart from Windows® and SuSE Linux EAL4+ Workload Comparison:
The above table is extracted from a new Microsoft-sponsored study posted at www.microsoft.com/getthefacts. The question behind the study was: “If the assurance level and protection profiles are the same, then is there a practical difference?” As shown in this chart, there is a vast difference depending on the software included or excluded from the evaluated configuration.
My original post on how this difference can occur got really long, so I created a separate article to explain The Importance of the “Evaluated Configuration” in Common Criteria Evaluations, allowing me to shorten this entry to just key points. However, it’s important stuff and a good read, so you should go read the whole thing as intro and then come back here.
In my opinion, there is a big difference in the amount of work that it takes a customer to get from the starting point of these two EAL4+ evaluated systems to full Certification and Accreditation and this is no accident. The much more useful and practical evaluated configuration in the Windows client/server evaluation (compared with Linux and compared with the previous Windows 2000 evaluation) is a reflection of Microsoft investment, not just in security improvement processes, but in people with security expertise that are helping drive more thoughtful security investments like this one.
So, what should I do? Should I pay the extra cost to include DHCP and Apache in my evaluation of JeffOS? Wait, maybe instead, I should strip even more usefulness out of the system and go for EAL7!!! Then, I could claim JeffOS has an EAL7 certification and leave the responsibility with customers to make it useful by adding on unevaluated components. Well, maybe not…
Think Security ~ Jeff