[cap-talk] Mandatory Access Control (was: What's "Discretionary Security")
Jonathan S. Shapiro
shap at eros-os.com
Wed Jan 3 02:42:20 CST 2007
On Tue, 2007-01-02 at 20:22 -0800, David Wagner wrote:
> By the way, I would caution folks against thinking that the Rainbow
> series are definitive texts on computer security, or that they are a good
> reflection of modern thinking and conventional wisdom about computer
> security.
Actually, this was true even when they were written. The Rainbow Series
was authored in the spirit of capturing existing best practices. It was
not an attempt to cohesively organize the area. A cohesive treatment was
the goal of the "Federal Criteria" project, which was started
afterwards.
Unfortunately, the Federal Criteria effort was halted when the US
decided to join the Common Criteria effort (which *also* is not an
attempt at a cohesive treatment). This is a source of deep frustration
to many of the people who were involved in the Federal Criteria effort.
So: the Rainbow Series is at best a capture of best practices. It is not
a definitive look at computer security, and never was.
shap
More information about the cap-talk
mailing list