Oracle, which is sponsoring Red Hat in the project, said the evaluation of Red Hat Enterprise Linux 3 under the Common Criteria scheme was expected to be "substantively complete" by the end of this month. Following this, the UK certification body must carry out a review and issue certification. "Obviously, this phase of the evaluation is not under vendor control, but is expected to take between a month to six weeks," said Tim Payne, Oracle's European head of technology products, on Wednesday.
Red Hat hopes the nearly year-long, $1m (£570,000) process of achieving Common Criteria certification will push Linux into the mainstream, as many government agencies around the world require the certification in order to deploy an operating system. The UK government is among the 19 that recognise the Common Criteria evaluation. A certification from one country is recognised in the others. With countries from Germany to Peru considering using open-source software, having a certified version of Linux could help break down barriers.
Oracle and Red Hat are first pushing Red Hat Linux Advanced Server for a modest level of certification: Evaluation Assurance Level (EAL) 2. In total, there are seven levels of certification attesting to varying grades of security, reliability and developmental process control. The highest level that a commercial software laboratory can certify is EAL 4, which Microsoft received for Windows 2000 last autumn. SuSE Linux Enterprise Server 8 running on IBM's Intel-based xSeries servers achieved EAL 2 in August.
The EAL level needed by a government customer depends largely on the agency and the application in which the software will be used. Earlier this year, the US Department of Defense (DOD) gave Red Hat a Common Operating Environment certification, which attests to a certain level of interoperability with other operating systems.
Oracle 9i has already been certified at EAL 4 on both Windows NT and Solaris, but has to be recertified for each operating system on which it runs. Oracle has said that some government clients have asked Oracle to push for Linux certification.
After Red Hat earns the EAL 2 certification, Oracle plans to work toward getting its Oracle 9i Release 2 database running on the evaluated Red Hat Linux Advanced Server certified at EAL 4. Oracle currently ships Oracle 9i Release 2 on Red Hat Linux Advanced Server as part of its Unbreakable campaign. The final goal for both companies is to have both Red Hat's software and Oracle's software certified under the Common Criteria at EAL 4.
Oracle has tackled the process 15 times on a variety of operating systems.
The Common Criteria, an international standard administered in the UK by a GCHQ division called the Communications-Electronics Security Group (CESG), grades products based not only on their security and reliability, but also on the development and support processes that ensure quick responses to problems.
Other countries that have signed the Arrangement on the Mutual Recognition of Common Criteria Certificates in the Field of IT Security are Australia, New Zealand, the US, Canada, Spain, Germany, Greece, The Netherlands, France, Hungary, Austria, Italy, Turkey, Norway, Finland, Sweden, Israel and Japan.
While the move is important for Linux, the 12-year-old Unix-like operating system still lags competitors in the certification process. Besides Windows 2000, Sun Microsystems' Solaris, IBM's AIX and Hewlett-Packard's HP-UX all have the higher EAL 4 certification.
CNET News.com's Robert Lemos and Stephen Shankland contributed to this report.
Talkback
While it is nice that RedHat is going after EAL 2, this only describes the Evaluation Assurance Level. It says nothing about what functional security requirements are being evaluated. To understand that, you need to see a copy of the Target of Evaluation (TOE)document, or know if they are claiming to meet one or more of the published Protection Profiles. Unfortunately, most people do not understand the Common Criteria and just look at EAL ratings. Without the other half of the story, there really is no information given. Is the RedHat TOE publically available?
While security has many issues, we have managed to solve one and with its Radius support it is working nicely under RedHat to increase its remote access security level to TFA OTP level.
We have developed the CAT - Cellular Authentication Token that provide a low cost, commodity feature for TFA OTP security level.