[3577] in cryptography@c2.net mail archive
NOT the Orange Book
daemon@ATHENA.MIT.EDU (John Young)
Sun Nov 1 22:17:16 1998
Date: Sun, 01 Nov 1998 21:56:24 -0500
To: cryptography@c2.net
From: John Young <jya@pipeline.com>
Paul Merrill, author of "NOT the Orange Book," has
provided a digital version of this "Guide to the Definition,
Specification, Tasking, and Documentation for the
Development of Secure Computer Systems -- Including
Condensations of the Members of the Rainbow Series
and Related Documents:"
http://jya.com/ntob.htm (401K)
Zipped:
http://jya.com/ntob.zip (96K)
This is Paul's 1992 manual prepared while working for
DoD/USAF to spec, research, evaluate and purchase
secure computer systems for ADP, C4I and weapons
and to compensate for the shortcomings of the official
regulations.
It's still widely used, Paul says, to ease the unending
conflict between DoD, NSA and defense contractors about
how to develop and assure computer security from lab
to battle.
Section IV, Case Studies, is a wonder at describing what
to do when perfect design goes bellyup in the field.
