When Microsoft announced last fall that the International Organization for Standardization (ISO) had awarded Windows 2000 the highest possible grade in the Common Criteria (CC) security certification, open-source advocates downplayed the honor as insignificant and unrelated to real-world security analysis. This week, however, ISO also awarded Linux the CC security certification, and as one might expect, the open-source community greeted the announcement with cheers. There's just one catch: Linux got a lower security rating than Win2K did last year.
ISO granted Linux a "low to moderate" security rating, whereas Win2K received a "moderate to high" security rating. According to people close to the certification process, ISO tested Linux for higher security ratings but the open-source solution achieved only the "low to moderate" rating.
Further dampening the celebration is news that most Linux installations didn't receive the certification. Sponsored by a $500,000 fee that IBM paid, the certification applies only to SuSE Linux and then only when that product is installed on certain IBM hardware. Still, the certification is an important first step for Linux, which is trying to position itself as a viable alternative to Windows in various situations. Microsoft has made significant security-related improvements to Windows since the company launched its Trustworthy Computing initiative a year and a half ago.