(read my background article first)

JeffOS gets EAL4+ certification... not really.  Primarily because I haven't created JeffOS.  But hey, I'm thinking about it, so stay with me while I think about what configuration of JeffOS I should submit for evaluation.  What?  Does the evaluated configuration make a difference?  IF JeffOS is evaluated EAL4+, doesn't that mean all of JeffOS is certified?  I'm afraid not, security super friends.  Take a look at this chart from Windows® and SuSE Linux EAL4+ Workload Comparison:

The above table is extracted from a new Microsoft-sponsored study posted at www.microsoft.com/getthefacts.  The question behind the study was:  "If the assurance level and protection profiles are the same, then is there a practical difference?"  As shown in this chart, there is a vast difference depending on the software included or excluded from  the evaluated configuration.

My original post on how this difference can occur got really long, so I created a separate article to explain The Importance of the “Evaluated Configuration” in Common Criteria Evaluations, allowing me to shorten this entry to just key points.  However, it's important stuff and a good read, so you should go read the whole thing as intro and then come back here.

In my opinion, there is a big difference in the amount of work that it takes a customer to get from the starting point of these two EAL4+ evaluated systems to full Certification and Accreditation and this is no accident.  The much more useful and practical evaluated configuration in the Windows client/server evaluation (compared with Linux and compared with the previous Windows 2000 evaluation) is a reflection of Microsoft investment, not just in security improvement processes, but in people with security expertise that are helping drive more thoughtful security investments like this one.

So, what should I do?  Should I pay the extra cost to include DHCP and Apache in my evaluation of JeffOS?  Wait, maybe instead, I should strip even more usefulness out of the system and go for EAL7!!!  Then, I could claim JeffOS has an EAL7 certification and leave the responsibility with customers to make it useful by adding on unevaluated components.  Well, maybe not...

Think Security ~ Jeff