Re: Common criteria evaluation?

On Thu, 15 Nov 2007, Geoff wrote:

> I know an older version of PostgreSQL for Linux was evaluated at EAL 1
> in Japan.

Right, by NTT: http://www.nttdata.co.jp/services/postgreSQL/english.html

Note that the certified version included some small modifications, it
wasn't the regular release that made it. 8.1.5 isn't that old of a
version; the current release in that branch is 8.1.10 and it's completely
sensible to consider rolling out even a new system on 8.1 right now.
There are some issues [1] even with adopting that one certified version
right now.

> Are there any other versions that are going through this now?

The most obvious vendor to find this worth the trouble is Sun, the last
recent statement I saw about this topic suggested that was just on their
radar:

http://blogs.ittoolbox.com/database/soup/archives/jpug-2007-report-16736

Josh may chime in with an update here, but I doubt that's made much
progress yet.

[1] The changes between 8.1.5 and 8.1.10 were relatively small and focused
on bug fixes, but there were a few compelling ones that would make
deploying 8.1.5 a little risky. 8.1.7 fixed a notable security issue and
8.1.9 took care of a problem that could corrupt data. Even if it were
feasible for you to self-certify in some fashion, the only path there that
would make sense would be extracting the changes made to reach EAL1 in
that customized 8.1.5, then apply at least those important patches.

--
* Greg Smith gsmith(at)gregsmith(dot)com http://www.gregsmith.com Baltimore, MD