December 3, 2003 7:30 AM PST
Red Hat Linux nears security clearance
- Related Stories
Red Hat, Oracle to certify Linux for gov'tFebruary 12, 2003
Oracle, which is sponsoring Red Hat in the project, said the evaluation of Red Hat Enterprise Linux 3 under the Common Criteria scheme was expected to be "substantively complete" by the end of this month. Following this, the U.K. certification body must carry out a review and issue certification.
"Obviously, this phase of the evaluation is not under vendor control but is expected to take between a month to six weeks," Tim Payne, Oracle's European head of technology products, said on Wednesday.
Red Hat hopes the nearly yearlong $1 million process of achieving Common Criteria certification will push Linux into the mainstream, as many government agencies around the world require the certification in order to deploy an operating system. The U.K. government is among the 19 that recognize the Common Criteria evaluation. A certification from one country is recognized in the others. With countries from Germany to Peru considering using open-source software, having a certified version of Linux could help break down barriers.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
Certification by year-end would mean that Oracle and Red Hat would meet the goal set last February, when the companies announced the project.
Oracle and Red Hat are first pushing Red Hat Linux Advanced Server for a modest level of certification: Evaluation Assurance Letvel (EAL) 2. SuSE Linux Enterprise Server 8 running on IBM's Intel-based xSeries servers achieved EAL 2 in August. Red Hat rival SuSE Linux leads in the Common Criteria race, however.
In total, there are seven levels of certification attesting to varying grades of security, reliability and developmental process control. The highest level a commercial software laboratory can certify is EAL 4, which Microsoft received for Windows 2000 last autumn.
While the move is important for Linux, the 12-year-old Unix-like operating system still lags competitors in the certification process. Besides Windows 2000, Sun Microsystems' Solaris, IBM's AIX and Hewlett-Packard's HP-UX all have the higher EAL 4 certification.
The EAL level a government customer needs depends largely on the agency and the application in which the software will be used. Earlier this year, the U.S. Department of Defense gave Red Hat a Common Operating Environment certification, which attests to a certain level of interoperability with other operating systems.
Oracle 9i has already been certified at EAL 4 on both Windows NT and Solaris but has to be recertified for each operating system on which it runs. Oracle has said that some government clients have asked Oracle to push for Linux certification.
After Red Hat earns the EAL 2 certification, Oracle plans to work toward getting its Oracle 9i Release 2 database running on the evaluated Red Hat Linux Advanced Server, certified at EAL 4. Oracle currently ships Oracle 9i Release 2 on Red Hat Linux Advanced Server as part of its Unbreakable campaign. The final goal for both companies is to have both Red Hat's software and Oracle's software certified under the Common Criteria at EAL 4.
Oracle has tackled the process 15 times on a variety of operating systems.
The Common Criteria, an international standard administered in the United Kingdom by a GCHQ division called the Communications-Electronics Security Group (CESG), grades products based not only on their security and reliability but also on the development and support processes that ensure quick responses to problems.
Other countries that have signed the "Arrangement on the Mutual Recognition of Common Criteria Certificates in the field of Information Technology Security" are Australia, New Zealand, the United States, Canada, Spain, Germany, Greece, the Netherlands, France, Hungary, Austria, Italy, Turkey, Norway, Finland, Sweden, Israel and Japan.
Matthew Broersma of ZDNet UK reported from London. CNET News.com's Robert Lemos and Stephen Shankland contributed to this report.