C2, SecureWare, loose lips

John F Haugh II jfh at rpp386.cactus.org
Fri Mar 15 23:12:20 AEST 1991 

In article <8178 at rsiatl.Dixie.Com> meo at Dixie.Com (Miles ONeal) writes:
>They are also, at least in part, simply incorrect.

They are not "simply incorrect".  I had parts of this discussion at
great length in comp.unix.sysv386 and comp.unix.xenix and a few of the
other comp.unix groups.

>2) SecureWare's behavior & ethics
>
>In this article at least, you make claims you do not substantiate.
>Just what is this unethical behavior? One of the things that
>attracted me to SecureWare was that they seemed far more ethical
>in many areas than most of the software/systems houses with
>which I am familiar. I have been there almost a year, and have
>yet to see evidence to the contrary. Nor am I posting this out
>of duty or hoping to win brownie points - they don't go in for
>that sort of bull and neither do I.

SCO and SecureWare developed a product, which is called "SCO UNIX"
that is sold by SCO as a "C2" product.  SCO relies on SecureWare's
name when they sell the product, that is, they freely say the product
was developed with SecureWare, and they freely claim that it is a
C2 product.  No, SCO does not say they have a blue letter, and they
don't say they are "formally evaluated", and I've been very careful
not to claim that they do - but they do continue to use "C2" to
describe what "SCO UNIX" is.  They also continue to use SecureWare's
name, and SecureWare continues to point at SCO UNIX as a product it
developed.

Based on descriptions of the features of SCO UNIX, and the criteria
in the TCSEC, SCO UNIX is not "C2 compliant", for some minimum set
of "C2 compliance".  It does, and I have stated this previously,
contain quite a few B1 and higher features (which, btw is not a "bad"
thing in any sense).  However, there are areas in which it lacks
some "C2" feature.  Of course, the issue is completely moot because
the system was never evaluated at the C2 level, nor could it be
because the formal evaluation process involves more than just the
particular software - it also involves the hardware the system is to
be installed on.

There are many things that are "unethical" and still very legal.  I
am not claiming that SCO or SecureWare has done anything illegal.
Just that SCO and SecureWare have clouded a complicated issue for
their own gain.  You don't just slap a "C2" label on a product and
hope people don't know what an "Evaluated Products List" is.
-- 
John F. Haugh II        | Distribution to  | UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832 | GEnie PROHIBITED :-) |  Domain: jfh at rpp386.cactus.org
"I've never written a device driver, but I have written a device driver manual"
                -- Robert Hartman, IDE Corp.

More information about the Comp.unix.programmer mailing list