[4111] in Kerberos
Re: NCSC B1 OS & Kerboros
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Sat Oct 29 08:12:54 1994
To: kerberos@MIT.EDU
Date: Wed, 26 Oct 1994 10:01:59
From: mamros@ftp.com (Shawn Mamros)
Reply-To: mamros@ftp.com
adula@solomon.technet.sg (Chiu Jia Yu) writes:
>I am looking into how to setup a NCSC B1 UNIX machine, is there a role
>that Kerboros can play such as providing the authetication ?
Kerberos implements authentication over a network. The NCSC "Orange Book"
criteria, on the other hand, concern security within a single machine.
So Kerberos isn't likely to be part of a B1-evaluated operating system.
That's not to say that Kerberos couldn't be used on a B1 system that's
connected to the network - it could. But the very act of connecting
a B1 system to a network could invalidate its B1 rating, depending on
exactly what was covered in the NCSC evaluation. If the NCSC criteria
were expanded to cover the network itself (if, say, it were applied to
a "network operating system" and not just a single machine), then it
might be possible for Kerberos to be used as the underlying technology
to provide authentication over the network. I don't know if anyone's
actually gone through the process of trying to receive an evaluation
for such a system, though. (I wonder what sort of technologies they're
using for "compartmentalized-mode workstations"? I believe several vendors
have been evaluated at the B level there, and I *think* they include
network connections, but they might be using completely different
protocols that enforce authentication at a much lower level. Anybody
know for sure?)
-Shawn Mamros
E-mail to: mamros@ftp.com
