At 7:49 AM -0800 1/13/00, hal@finney.org wrote:
>With all the talk about crypto I didn't realize that there were
>restrictions on export of secure OS. Can you provide pointers/refs to
>these laws? I am curious to see how they would define a "secure" OS
>since you'd think that every OS is in principle secure in some sense,
>if it weren't full of bugs.
They are buried in the regs. "Secure" is "Orange Book" B3 or A1 or capable of achieving B3 or A1.
B3 and A1 have the same functional requirements. A1 has more assurance built in to its development process. Basically these requirements mean that you can't give others access to your files if the security officer doesn't let you.
Unlike the crypto regulations, it is possible to build something that is secure which does not meet the Orange Book requirements. If you are involved in OS development, go to B2 and stop. There's no market (outside the government) for B3 anyway.
Bill Frantz | Internet Explorer, the | Periwinkle -- Consulting (408)356-8506 | hacker's path to your | 16345 Englewood Ave. frantz@netcom.com | hard disk. | Los Gatos, CA 95032, USA