[cap-talk] Capabilities and the NCSC Trusted Computer Security Evaluation Criteria (TCSEC)

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Sun Nov 19 19:06:57 CST 2006


David Wagner wrote:
> Valerio Bellizzomi <devbox at selnet.org> writes:
> 
>>So, is it possible that the "marking" could be used as an element of a way
>>out of TCSEC, and as an argument to "rebirth" the object/capability
>>approach to computer security?
> 
> A personal opinion:
> 
> The TCSEC requirements are most irrelevant to modern computer security in
> the commercial world.  They're a waste of time.  Every second you spend
> trying to comply with TCSEC is one second forever lost from your lifespan.
> They're not worth the brain cells; don't bother.

I'd go further: if you try to comply with TCSEC, you are imposing artificial
constraints on your system that may interfere with making it secure by more
relevant criteria. So it is not just a waste of time, but actively
counterproductive.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>



More information about the cap-talk mailing list