To be considered certified, it would have to be in the certified configuration. Installing a new application with an open network port violates that certification. That is not really very useful. It is also not unique to SUSE, you have the same problem with all Common Criteria certified systems; they are only really certified in a specific configuration, which is probably not adequate to your needs. Which is why I am fairly cynical about the real security value of common criteria certification. Even among the set of people who are required to run certified systems, almost none of them actually run in the certified configuration. Crispin Mark Armstrong wrote:
That is very interesting to know, thank you.
I don't have to bring my system together until 1st quarter 2008 so SLES 10 is an option.
Would that mean that if I used SLES 10 SP1 on an appropriate hardware platform it would be considered to meet the common criteria (assuming it passes re-eval), or is it slightly more complicated than that?
Mark
Emily Ratliff wrote:
Mark Armstrong wrote:
All your points are very true, unfortunately I'm looking to put a server into an environment where risk assessment and use of certified products makes the bureaucracy happy.
SLES 10 (SP1) is under re-evaluation at CAPP/EAL4+. See http://niap.bahialab.com/cc-scheme/in_evaluation.cfm It should complete before too long. Does that satisfy your requirement?
Emily --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org