The effort is expected to take nine to 10 months and cost up to $1 million. But if successful, it could pay off handsomely for Red Hat and Oracle, as well as for Linux.
"The government has been deploying Linux in smaller settings quite broadly, but it's still done by exception, by and large," said Mark De Visser, vice president of marketing for Red Hat. "What happens with these certifications is that they will push Linux into the mainstream."
The United States government is among 14 nations that recognize the Common Criteria evaluation. A certification from one country is recognized in the others. With countries from Germany to Peru considering using open-source software, having a certified version of Linux will help break down barriers.
The companies plan to first push Red Hat Linux Advanced Server for a modest level of certification: Evaluation Assurance Level (EAL) 2. In total, there are seven levels of certification attesting to varying grades of security, reliability and developmental process control. The highest level that a commercial software laboratory can certify is EAL 4, which Microsoftfor Windows 2000 last fall.
The EAL level needed by a government customer depends largely on the agency and the application in which the software will be used. On Tuesday, the Department of Defense (DOD) gave Red Hat a Common Operating Environment certification, which attests to a certain level of interoperability with other operating systems.
Oracle 9i has already been certified at EAL 4 on both Windows NT and Solaris, but has to be recertified for each operating system on which it runs. And Oracle thinks that there is a large market among government customers for the company's database running on Linux. In fact, some government clients have been clamoring for Linux, said Mary-Ann Davidson, chief security officer for Oracle.
"One of our large DOD customers asked us if we could foster a Linux evaluation," she said. "The customers truly care about getting Linux evaluated and want Oracle running on it."
There hasn't been much interest in running Oracle on Microsoft's Windows platform because of past security problems with Microsoft products, despite the company's major security push, Davidson said.
"We are going to use Unix and Linux as the evaluation platforms for our products in the future, and not Windows, because the customer demand for Windows is not there," she said. "Frankly, there is a fair amount of disenchantment with Microsoft products because of security problems."
After Red Hat earns the EAL 2 certification, Oracle plans to work toward getting its Oracle 9i Release 2 database running on the evaluated Red Hat Linux Advanced Server certified at the highest commercial rating, EAL 4. Oracle currently ships Oracle 9i Release 2 on Red Hat Linux Advanced Server as part of its Unbreakable campaign.
The final goal for both companies is to have both Red Hat's software and Oracle's software certified under the Common Criteria at EAL 4.
Oracle has tackled the process 15 times on a variety of operating systems.
The Common Criteria, an international standard administered by the National Institute of Standards and Technology in the United States, grades products based not only on their security and reliability, but also on the development and support processes that ensure quick responses to problems.
Other nations that have signed the Arrangement on the Mutual Recognition of Common Criteria Certificates in the Field of IT Security are Canada, France, Germany, the United Kingdom, Australia, New Zealand, Italy, Spain, the Netherlands, Norway, Finland, Greece and Israel.
The benefits of Common Criteria certification for Red Hat's Linux products should trickled down to the rest of the Linux community as well, said Dave Dargo, vice president of Oracle's Linux program office.
"The benefits of this evaluation extend beyond Red Hat in the long term," Dargo said, adding that the enterprise-level changes Red Hat and Oracle have made to the Linux kernel have made their way into Linux 2.5, the newest version of the kernel under development.
Moreover, the evaluation process, while expensive, should result in a more secure version of Linux being generally available, added Davidson.
"Fixing a major security hole costs a lot," she said. "And while certification won't prevent those holes, it helps to have a stricter development process. Finding one security hole that you otherwise would have missed, easily pays for evaluation."