Simon Riggs wrote:
> The process works like this: software gets developed, then it gets
> certified. If its not certified, then Undercover Elephant will not be
> used by the secret people. We can't answer the "will it be certified?"
> question objectively yet. If we have someone willing to write the
> software and put it forward for certification then we should trust that
> it probably will pass certification and if it doesn't we will see
> further patches to allow that to happen.
For what it's worth, we can see that there are indeed
Postgres forks on the Common Criteria certified list.
http://www.commoncriteriaportal.org/products_DB.html PostgreSQL Certified Version V8.1.5 for Linux Manufacturer
Assurancelevel Certification date NTT DATA CORPORATION EAL1 22-MAR-07 Certification report
c0089_ecvr.pdf http://www.commoncriteriaportal.org/files/epfiles/c0089_ecvr.pdf
though at EAL1 they're quite far from the EAL4+ that DB2,
Oracle, etc get.
That someone went through the effort suggests that there's at least
some interest in getting security certifications for postgres.
It'd be interesting to hear from whomever at NTT was involved with
that certification, if SEPostgreSQL would have either made that
process easier or help postgres achieve a higher level.