Thread: Common criteria evaluation?

I'm working on a database project and we're starting to look at open
source alternatives to Oracle.  The group I'm working for is keen to
find a suitable database that has passed the common criteria
evaluation at some level.  I know an older version of PostgreSQL for
Linux was evaluated at EAL 1 in Japan.  Are there any other versions
that are going through this now?  Or any ideas where else I could look?

On Thu, 15 Nov 2007, Geoff wrote:

> I know an older version of PostgreSQL for Linux was evaluated at EAL 1
> in Japan.

Right, by NTT:  http://www.nttdata.co.jp/services/postgreSQL/english.html

Note that the certified version included some small modifications, it
wasn't the regular release that made it.  8.1.5 isn't that old of a
version; the current release in that branch is 8.1.10 and it's completely
sensible to consider rolling out even a new system on 8.1 right now.
There are some issues [1] even with adopting that one certified version
right now.

> Are there any other versions that are going through this now?

The most obvious vendor to find this worth the trouble is Sun, the last
recent statement I saw about this topic suggested that was just on their
radar:

http://blogs.ittoolbox.com/database/soup/archives/jpug-2007-report-16736

Josh may chime in with an update here, but I doubt that's made much
progress yet.

[1] The changes between 8.1.5 and 8.1.10 were relatively small and focused
on bug fixes, but there were a few compelling ones that would make
deploying 8.1.5 a little risky.  8.1.7 fixed a notable security issue and
8.1.9 took care of a problem that could corrupt data.  Even if it were
feasible for you to self-certify in some fashion, the only path there that
would make sense would be extracting the changes made to reach EAL1 in
that customized 8.1.5, then apply at least those important patches.

--
* Greg Smith gsmith@gregsmith.com http://www.gregsmith.com Baltimore, MD

Greg Smith <gsmith@gregsmith.com> writes:
> Right, by NTT:  http://www.nttdata.co.jp/services/postgreSQL/english.html
> Note that the certified version included some small modifications, it
> wasn't the regular release that made it.

Were those mods ever submitted upstream?

            regards, tom lane

On Fri, 16 Nov 2007, Tom Lane wrote:

> Greg Smith <gsmith@gregsmith.com> writes:
>> Right, by NTT:  http://www.nttdata.co.jp/services/postgreSQL/english.html
> Were those mods ever submitted upstream?

As far as I can tell they weren't even released offically.  I didn't see
any source RPMs, just the binaries, and all the related documentation is
in Japanese.

That's actually the biggest problem with other groups trying to re-use the
work they did.  A large part of Common Criteria compliance involves not
just the code but the procedures, and all of those are also in Japanese.
The modified software by itself doesn't get you there, you have to use it
in just the right way to follow the certified procedure.

--
* Greg Smith gsmith@gregsmith.com http://www.gregsmith.com Baltimore, MD

On Thu, Nov 15, 2007 at 07:35:52PM -0800, Geoff wrote:
> I know an older version of PostgreSQL for
> Linux was evaluated at EAL 1 in Japan.  Are there any other versions
> that are going through this now?

Just out of interest, what does EAL level 1 actually test/check for?
I'd assume that it was a very specific set of use cases, but it may be
something more generally useful.


  Sam

On Fri, 16 Nov 2007, Sam Mason wrote:

> Just out of interest, what does EAL level 1 actually test/check for?

There's a good summary of this whole process on the relevant Wikipedia
pages:

http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
http://en.wikipedia.org/wiki/Common_Criteria

Actually digging into the details will put you to sleep fast, the specs
are available at
http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/PubliclyAvailableStandards.htm

To figure out how to map the EAL levels into what's acually tested, you
need to look at the table at the end of ISO/IEC 15408-3:2005.  That serves
as a sort of index of what you need to pay attention to in the other
documentation.

--
* Greg Smith gsmith@gregsmith.com http://www.gregsmith.com Baltimore, MD

On Fri, Nov 16, 2007 at 01:34:40PM -0500, Greg Smith wrote:
> On Fri, 16 Nov 2007, Sam Mason wrote:
> >Just out of interest, what does EAL level 1 actually test/check for?
>
> There's a good summary of this whole process on the relevant Wikipedia
> pages:
>
> http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
> http://en.wikipedia.org/wiki/Common_Criteria

I had a look though those, but they seemed pretty vague about what was
actually being checked/verified.

> Actually digging into the details will put you to sleep fast, the specs
> are available at
> http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/PubliclyAvailableStandards.htm
>
> To figure out how to map the EAL levels into what's acually tested, you
> need to look at the table at the end of ISO/IEC 15408-3:2005.  That serves
> as a sort of index of what you need to pay attention to in the other
> documentation.

And that's the other extreme.  The introduction seems readable, lets see
how long I last!


  Sam