Common Criteria and ITSEC (BSxxyy, etc..), Free Beer vs. Free Speech
Hello, I apologize for the priority but I think that this is a big issue, indeed. I recently learned that italian PA (Public Administration) is defining a law (or sort of) about the informative systems which can be adopted for its purpouse, by asking the systems the compliance with some level (I think EAL2) of Common Criteria (CC), or European equipollents (ITSEC, or BS (British Standards)). I was told that it was recently stated on the web that Linux solutions wouldn't be compliant to such criteria, above all for what addresses the user "policy" (or something like that). Can somebody point me to some useful direction towards this issue? Do anybody know whether a Linux system can or has been certified versus CC? I think that this lack of certification is given by the lack of interest, or absence of motivation, by the Linux community rather than by technical limits. I think, of course, that the compliance to these international certification criteria should be considered as an essential feature in order not to limit the diffusion of Linux systems and "free software" (in the sense of freedom, of course) also in PA which is a "strategic" area of users. Of course the same PA, and the State, should be the first instituion sponsoring Free Software, just to guarantee the accessibility to all citizens to the services proivided (first of all about the documentation). Please if you have any information, let's cohordinate a project aimed to "raise" the problem towards the international community, asking for support of EU, Free Software Foundation, ... Thanks a lot, Ste
This does sound like it could be important, and like it would be worth doing
something about. But I don't know what the Common Criteria are (never heard
of them, in fact), nor do I understand what is meant by user policy. Linux
and *nix are certainly very widely used in the UK academic sector, so it
would seem odd if there has been nothing done on compliance with standards.
Can you give us a bit more background to work with before we start reacting?
Best
Fergus
----- Original Message -----
From: "Stefano Papini"
Hello, I apologize for the priority but I think that this is a big issue, indeed.
I recently learned that italian PA (Public Administration) is defining a law (or sort of) about the informative systems which can be adopted for its purpouse, by asking the systems the compliance with some level (I think EAL2) of Common Criteria (CC), or European equipollents (ITSEC, or BS (British Standards)).
I was told that it was recently stated on the web that Linux solutions wouldn't be compliant to such criteria, above all for what addresses the user "policy" (or something like that).
Can somebody point me to some useful direction towards this issue? Do anybody know whether a Linux system can or has been certified versus CC?
I think that this lack of certification is given by the lack of interest, or absence of motivation, by the Linux community rather than by technical limits.
I think, of course, that the compliance to these international certification criteria should be considered as an essential feature in order not to limit the diffusion of Linux systems and "free software" (in the sense of freedom, of course) also in PA which is a "strategic" area of users.
Of course the same PA, and the State, should be the first instituion sponsoring Free Software, just to guarantee the accessibility to all citizens to the services proivided (first of all about the documentation).
Please if you have any information, let's cohordinate a project aimed to "raise" the problem towards the international community, asking for support of EU, Free Software Foundation, ...
Thanks a lot, Ste
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Thanks for your feedback, this is important indeed. Now, I'm sorry but the little I learned is on a magazine I can't read just now. I'll be more precise in a couple of day, as soon as I can recollect some more info on Common Criteria. Anyway, this is the web site, as recovered from Google: http://www.commoncriteria.org/ I think that it UK, BS9977 and similars (I believe) are used (BS: British Standards, for not UK citizens). I'm too not too sure what is meant for user policy, I think that is substantially linked to security and access to the resources and data provided by the system (AKA *nix policy on users, groups, apps), but maybe this can be my interpretation based on *nix (although limited) knowledge. It's just because it seems odd to me, too, that I wanted to point your attention towards this issue and ask again to escalate this to the highest level possible. I forwarded my mail to gnu@gun.org. This is not meant for spamming, but to support Free Software and avoid proprietary chains. Thanks a lot, Ste Fergus Wilde wrote:
This does sound like it could be important, and like it would be worth doing something about. But I don't know what the Common Criteria are (never heard of them, in fact), nor do I understand what is meant by user policy. Linux and *nix are certainly very widely used in the UK academic sector, so it would seem odd if there has been nothing done on compliance with standards. Can you give us a bit more background to work with before we start reacting?
Best Fergus
----- Original Message ----- From: "Stefano Papini"
To: "SuSE" Sent: Friday, May 18, 2001 10:01 AM Subject: [SLE] Common Criteria and ITSEC (BSxxyy, etc..), Free Beer vs. Free Speech Hello, I apologize for the priority but I think that this is a big issue, indeed.
I recently learned that italian PA (Public Administration) is defining a law (or sort of) about the informative systems which can be adopted for its purpouse, by asking the systems the compliance with some level (I think EAL2) of Common Criteria (CC), or European equipollents (ITSEC, or BS (British Standards)).
I was told that it was recently stated on the web that Linux solutions wouldn't be compliant to such criteria, above all for what addresses the user "policy" (or something like that).
Can somebody point me to some useful direction towards this issue? Do anybody know whether a Linux system can or has been certified versus CC?
I think that this lack of certification is given by the lack of interest, or absence of motivation, by the Linux community rather than by technical limits.
I think, of course, that the compliance to these international certification criteria should be considered as an essential feature in order not to limit the diffusion of Linux systems and "free software" (in the sense of freedom, of course) also in PA which is a "strategic" area of users.
Of course the same PA, and the State, should be the first instituion sponsoring Free Software, just to guarantee the accessibility to all citizens to the services proivided (first of all about the documentation).
Please if you have any information, let's cohordinate a project aimed to "raise" the problem towards the international community, asking for support of EU, Free Software Foundation, ...
Thanks a lot, Ste
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Thanks for your feedback, this is important indeed. Now, I'm sorry but the little I learned is on a magazine I can't read just now. I'll be more precise in a couple of day, as soon as I can recollect some more info on Common Criteria. Anyway, this is the web site, as recovered from Google:
http://www.commoncriteria.org/
I think that it UK, BS9977 and similars (I believe) are used (BS: British Standards, for not UK citizens).
I'm too not too sure what is meant for user policy, I think that is substantially linked to security and access to the resources and data provided by the system (AKA *nix policy on users, groups, apps), but maybe this can be my interpretation based on *nix (although limited) knowledge.
It's just because it seems odd to me, too, that I wanted to point your attention towards this issue and ask again to escalate this to the highest level possible.
I forwarded my mail to gnu@gun.org.
This is not meant for spamming, but to support Free Software and avoid proprietary chains.
Thanks a lot,
Ste
Fergus Wilde wrote:
This does sound like it could be important, and like it would be worth
doing
something about. But I don't know what the Common Criteria are (never heard of them, in fact), nor do I understand what is meant by user policy. Linux and *nix are certainly very widely used in the UK academic sector, so it would seem odd if there has been nothing done on compliance with standards. Can you give us a bit more background to work with before we start reacting?
Best Fergus
----- Original Message ----- From: "Stefano Papini"
To: "SuSE" Sent: Friday, May 18, 2001 10:01 AM Subject: [SLE] Common Criteria and ITSEC (BSxxyy, etc..), Free Beer vs. Free Speech Hello, I apologize for the priority but I think that this is a big issue, indeed.
I recently learned that italian PA (Public Administration) is defining a law (or sort of) about the informative systems which can be adopted for its purpouse, by asking the systems the compliance with some level (I think EAL2) of Common Criteria (CC), or European equipollents (ITSEC, or BS (British Standards)).
I was told that it was recently stated on the web that Linux solutions wouldn't be compliant to such criteria, above all for what addresses
Hi Stefano,
I will look at the links and pages, and we must see what is meant.
It's certainly very important that Linux doesn't miss out on being included
in any national / international standards. I won't be able to get onto this
much until next week, but I will keep reading here in case news appears.
I wonder if anyone at SuSE, as a company whose vital interests might appear
to
be affected, knows what is fact and what is rumour about this.
Take care
Fergus
----- Original Message -----
From: "Stefano Papini"
user "policy" (or something like that).
Can somebody point me to some useful direction towards this issue? Do anybody know whether a Linux system can or has been certified versus CC?
I think that this lack of certification is given by the lack of interest, or absence of motivation, by the Linux community rather than by technical limits.
I think, of course, that the compliance to these international certification criteria should be considered as an essential feature in order not to limit the diffusion of Linux systems and "free software" (in the sense of freedom, of course) also in PA which is a "strategic" area of users.
Of course the same PA, and the State, should be the first instituion sponsoring Free Software, just to guarantee the accessibility to all citizens to the services proivided (first of all about the documentation).
Please if you have any information, let's cohordinate a project aimed to "raise" the problem towards the international community, asking for support of EU, Free Software Foundation, ...
Thanks a lot, Ste
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Hi Fergus and all, my impression is that the international community (and I like to underline that the interest must be shared by any involved by free software, SuSE included, of course) have no time to waste, as I expect that ther'll be a lot of rumour done by other sw "vendor" in order to prevent "Free software" to enter such a rich market and there will be time and probably money to spend to achieve any certification. My worries concern the fact that with respect to a single system/solution (e.g. Oracle 9i), here we have to "certify" the approach of Free Software. This by itself is more secure, but is difficult to "concentrate" in a single system/solution (e.g. we could certify mySQL, but what about a whole Linux distro?). We have to think of it, at the maximum level possible, with the maximum priority possible because, as Gudmund pointed out, in Germany and in France things are moving one. Now, I was told that recently France has promoted a law trying to defend "open source" initiatives in PA, but I think that the key to all this problem is to match the international standards. On the other side I expect that just people like Robert J. Chassel, or Mr. Bruce Perens, or. R. Stallman or some well known expert, can actively and effectively support this issue (what about the same Linus???). Cheers, Stefano Fergus Wilde wrote:
Hi Stefano,
I will look at the links and pages, and we must see what is meant. It's certainly very important that Linux doesn't miss out on being included in any national / international standards. I won't be able to get onto this much until next week, but I will keep reading here in case news appears.
I wonder if anyone at SuSE, as a company whose vital interests might appear to be affected, knows what is fact and what is rumour about this.
Take care Fergus
----- Original Message ----- From: "Stefano Papini"
To: "Fergus Wilde" Cc: "SuSE list" ; Sent: Friday, May 18, 2001 11:10 AM Subject: Re: [SLE] Common Criteria and ITSEC (BSxxyy, etc..), Free Beer vs. Free Speech Thanks for your feedback, this is important indeed. Now, I'm sorry but the little I learned is on a magazine I can't read just now. I'll be more precise in a couple of day, as soon as I can recollect some more info on Common Criteria. Anyway, this is the web site, as recovered from Google:
http://www.commoncriteria.org/
I think that it UK, BS9977 and similars (I believe) are used (BS: British Standards, for not UK citizens).
I'm too not too sure what is meant for user policy, I think that is substantially linked to security and access to the resources and data provided by the system (AKA *nix policy on users, groups, apps), but maybe this can be my interpretation based on *nix (although limited) knowledge.
It's just because it seems odd to me, too, that I wanted to point your attention towards this issue and ask again to escalate this to the highest level possible.
I forwarded my mail to gnu@gun.org.
This is not meant for spamming, but to support Free Software and avoid proprietary chains.
Thanks a lot,
Ste
Fergus Wilde wrote:
This does sound like it could be important, and like it would be worth
something about. But I don't know what the Common Criteria are (never heard of them, in fact), nor do I understand what is meant by user policy. Linux and *nix are certainly very widely used in the UK academic sector, so it would seem odd if there has been nothing done on compliance with standards. Can you give us a bit more background to work with before we start reacting?
Best Fergus
----- Original Message ----- From: "Stefano Papini"
To: "SuSE" Sent: Friday, May 18, 2001 10:01 AM Subject: [SLE] Common Criteria and ITSEC (BSxxyy, etc..), Free Beer vs. Free Speech Hello, I apologize for the priority but I think that this is a big issue, indeed.
I recently learned that italian PA (Public Administration) is defining a law (or sort of) about the informative systems which can be adopted for its purpouse, by asking the systems the compliance with some level (I think EAL2) of Common Criteria (CC), or European equipollents (ITSEC, or BS (British Standards)).
I was told that it was recently stated on the web that Linux solutions wouldn't be compliant to such criteria, above all for what addresses
doing the
user "policy" (or something like that).
Can somebody point me to some useful direction towards this issue? Do anybody know whether a Linux system can or has been certified versus CC?
I think that this lack of certification is given by the lack of interest, or absence of motivation, by the Linux community rather than by technical limits.
I think, of course, that the compliance to these international certification criteria should be considered as an essential feature in order not to limit the diffusion of Linux systems and "free software" (in the sense of freedom, of course) also in PA which is a "strategic" area of users.
Of course the same PA, and the State, should be the first instituion sponsoring Free Software, just to guarantee the accessibility to all citizens to the services proivided (first of all about the documentation).
Please if you have any information, let's cohordinate a project aimed to "raise" the problem towards the international community, asking for support of EU, Free Software Foundation, ...
Thanks a lot, Ste
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
-- Stefano Papini, Dr. Eng. Account Manager GPLV Partners S.p.A. Piazza Cavour, 3 (V piano) 20121 Milano - Italy Tel. +39-02-6556731 Fax +39-02-63618532 mailto:stefano.papini@gplvpartners.com Web: http://www.gplvpartners.com
For who can read attachments, more details are provided. Bye, Ste Fergus Wilde wrote:
This does sound like it could be important, and like it would be worth doing something about. But I don't know what the Common Criteria are (never heard of them, in fact), nor do I understand what is meant by user policy. Linux and *nix are certainly very widely used in the UK academic sector, so it would seem odd if there has been nothing done on compliance with standards. Can you give us a bit more background to work with before we start reacting?
Best Fergus
----- Original Message ----- From: "Stefano Papini"
To: "SuSE" Sent: Friday, May 18, 2001 10:01 AM Subject: [SLE] Common Criteria and ITSEC (BSxxyy, etc..), Free Beer vs. Free Speech Hello, I apologize for the priority but I think that this is a big issue, indeed.
I recently learned that italian PA (Public Administration) is defining a law (or sort of) about the informative systems which can be adopted for its purpouse, by asking the systems the compliance with some level (I think EAL2) of Common Criteria (CC), or European equipollents (ITSEC, or BS (British Standards)).
I was told that it was recently stated on the web that Linux solutions wouldn't be compliant to such criteria, above all for what addresses the user "policy" (or something like that).
Can somebody point me to some useful direction towards this issue? Do anybody know whether a Linux system can or has been certified versus CC?
I think that this lack of certification is given by the lack of interest, or absence of motivation, by the Linux community rather than by technical limits.
I think, of course, that the compliance to these international certification criteria should be considered as an essential feature in order not to limit the diffusion of Linux systems and "free software" (in the sense of freedom, of course) also in PA which is a "strategic" area of users.
Of course the same PA, and the State, should be the first instituion sponsoring Free Software, just to guarantee the accessibility to all citizens to the services proivided (first of all about the documentation).
Please if you have any information, let's cohordinate a project aimed to "raise" the problem towards the international community, asking for support of EU, Free Software Foundation, ...
Thanks a lot, Ste
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
-- Stefano Papini, Dr. Eng. Account Manager GPLV Partners S.p.A. Piazza Cavour, 3 (V piano) 20121 Milano - Italy Tel. +39-02-6556731 Fax +39-02-63618532 mailto:stefano.papini@gplvpartners.com Web: http://www.gplvpartners.com
Hi, Stefano Papini wrote:
Hello, I apologize for the priority but I think that this is a big issue, indeed.
I recently learned that italian PA (Public Administration) is defining a law (or sort of) about the informative systems which can be adopted for its purpouse, by asking the systems the compliance with some level (I think EAL2) of Common Criteria (CC), or European equipollents (ITSEC, or BS (British Standards)).
I was told that it was recently stated on the web that Linux solutions wouldn't be compliant to such criteria, above all for what addresses the user "policy" (or something like that).
Can somebody point me to some useful direction towards this issue? Do anybody know whether a Linux system can or has been certified versus CC?
Not quite to the point, but it says something: http://www.fcw.com/fcw/articles/2000/0731/web-linux-08-02-00.asp
I think that this lack of certification is given by the lack of interest, or absence of motivation, by the Linux community rather than by technical limits.
I think, of course, that the compliance to these international certification criteria should be considered as an essential feature in order not to limit the diffusion of Linux systems and "free software" (in the sense of freedom, of course) also in PA which is a "strategic" area of users.
Of course the same PA, and the State, should be the first instituion sponsoring Free Software, just to guarantee the accessibility to all citizens to the services proivided (first of all about the documentation).
Please if you have any information, let's cohordinate a project aimed to "raise" the problem towards the international community, asking for support of EU, Free Software Foundation, ...
Indeed. AFAIK, the French and German governments have started something. I don't know where to start with the French, but here's for starters about the Germans (sorry, mostly in German): http://linux.kbst.bund.de/ http://linux.kbst.bund.de/02-2000/index2.html http://linux.kbst.bund.de/02-2000/brief2-2000.html http://www.bsi.bund.de/ http://www.bsi.bund.de/aufgaben/ii/zert/index.htm http://www.bsi.bund.de/cc/index.htm BR, Gudmund
participants (3)
-
Fergus Wilde
-
Gudmund Areskoug
-
Stefano Papini