security levels, V.4

Bob Palowoda palowoda at fiver
Fri Nov 30 17:45:57 AEST 1990


>From article <1990Nov29.224243.2934 at ico.isc.com>, by rcd at ico.isc.com (Dick Dunn):
> aris at tabbs.UUCP (Aris Stathakis) writes:
>   davidsen at sixhub.UUCP (Wm E. Davidsen Jr) writes:
>> >  ODT has C2 security, DV2 doesn't, but has shadow password. Both
>> >companies consider this a feature. I would gladly pay another $200-300
>> >for ODT with the security ripped out...
> 
>> DV2?  You mean maybe DV4? :-)  Strange.  I was under the impression
>> that AT&T wouldn't let you call your product UNIX V.4 unless you had
>> at least B2 security.  I could be wrong though..
> 
> B2???  No, you must be kidding.  You *don't want* B2.  (It may be required
> for something you're doing, in which case you may *need* it...but even then
> you won't *want* it.:-)
> 
> B2 is a higher level of security than C2.  I'll leave it to the orange-book
> mavens to explain the differences; suffice it to say that if you think the
> flaming you've seen in this newsgroup about C2 is hot, you ain't seen
> nothin' yet.
> 
> And no, B2 is not required for V.4.  It's an option--I think MLS will take
> you to the B2 level.                 ^^^^^^^^^^^^^^
                                       ||||||||||||||

  Well this is interesting. According to Mr. Aris Stathakis in a previous
article he writes:

> What's wrong with that is that it isn't C2.  The C2 standard states that
> it must be included in the product, and you cannot have the same product
> without the C2 security - or else it does not constitute C2.

  So C2 is required for *any* UNIX OS to be C2 and B2 which is as I 
understand it more secure is not required. Yes I would like to here
from someone with the orange-book explain this. I know nothing about the
security levels, nor do I own a system or use one at work. I do have
accounts on some systems that do and once in a while I am locked out
saying with a message for no reason at all. So indirectly it does affect
me as a user. I'm sure the bugs will be found fix etc but this this
brings up another question. How does each level of security packages
affect the devolopment cost of applications for any UNIX that uses it?
How will we know when the price/security costs are enough?

---Bob
 

-- 
Bob Palowoda   palowoda at fiver              |   *Home of Fiver BBS*
Home {sun}!ys2!fiver!palowoda              | 415-623-8809 1200/2400
     {pacbell}!indetech!fiver!palowoda     |     An XBBS System                
Work {sun,pyramid,decwrl}!megatest!palowoda| 415-623-8806 1200/2400/19.2k TB+



More information about the Comp.unix.sysv386 mailing list