RE: [Fed-Talk] [Announce] Common Criteria Certification!
RE: [Fed-Talk] [Announce] Common Criteria Certification!
- Subject: RE: [Fed-Talk] [Announce] Common Criteria Certification!
- From: "Cole, John (Civ, ARL/CISD)" <email@hidden>
- Date: Fri, 18 Feb 2005 16:15:13 -0500
- Thread-topic: [Fed-Talk] [Announce] Common Criteria Certification!
Rex,
The problem is that people do not read the requirements, but react to
the certification.
Few people read standards, but feel they must have the products that
meet them.
But meets what?
There are those who argue, and I agree with, that such standards and
certification actually create, as you say, less security by fooling
people into having a false sense of safety. The burden on writers of
requirements, whether in standards or protection profiles, is quite high
considering how much the publc and others rely on this stamp of
assurance.
It is much easier to produce a weak or defective requirement, and market
products blessed by the evaluation process, than to actually achieve
security. That will continue to be the case. But professionals with
feelings of ethics and an obligation to society will do their best to
prevent such standards, protection profiles, and requirements from
seeing the light of day.
-Jack
-----Original Message-----
From: fed-talk-bounces+cole=email@hidden
[mailto:fed-talk-bounces+cole=email@hidden] On Behalf Of
Rex Sanders
Sent: Thursday, February 17, 2005 2:45 PM
To: Fed Talk
Subject: RE: [Fed-Talk] [Announce] Common Criteria Certification!
For one perspective on Common Criteria certification, and the Windows
2000 CAPP/EAL4 certification, written in understandable English, see:
http://eros.cs.jhu.edu/~shap/NT-EAL4.html
After reading this, I'm sorry that vendors must spend so much money to
certify obsolete operating systems and applications (because the process
takes so long) using vague criteria that don't improve security very
much, despite being required by many Government agencies.
But that's just my opinion.
-- Rex
At 1:25 PM -0500 2/17/05, Brian Raymond wrote:
>That's good news and will help Apple gain access to some new things.
>
>I know Apple just received their EAL3 certification but in my
>experiences we can't do much with it until EAL4 so I wanted to ask what
>the plans are to push for an EAL4 certification? The fact that MS has
>an EAL4 for Windows 2000 gives a lot of people ammunition to throw back
>when trying to push for OSX or Linux. I've run into it myself when
>pushing for Linux, thankfully EAL4 is currently being worked for both
>Redhat's enterprise Linux and Suse.
>
>For people who wonder how MS would have received a certification to
>EAL4 read up on what the CAPP profile is and what it means and you can
>see how.
>
>- Brian
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden