Re: [Fed-Talk] [Announce] Common Criteria Certification!
Re: [Fed-Talk] [Announce] Common Criteria Certification!
- Subject: Re: [Fed-Talk] [Announce] Common Criteria Certification!
- From: "Brian Raymond" <email@hidden>
- Date: Tue, 22 Feb 2005 10:01:53 -0500
- Thread-topic: [Fed-Talk] [Announce] Common Criteria Certification!
Title: Re: [Fed-Talk] [Announce] Common Criteria Certification!
Some good comments from both John and Rex and ones I definitely agree with.
As someone who has been in the trenches and uses Windows, OSX, Linux,
Solaris, and OpenBSD on a regular basis I've learned first hand exactly what
you touch on. The only thing most people know how to do is hold up the
certification as the measuring stick needed to "assure" that the solution is
indeed secure.
Is this the fault of the certification itself or the people using it to pick
the solution to use? I think the answer is mostly the people using it to
pick the solution. The people using CC generally take it as the
overwhelming decision maker for weather or not a system is secure. This is
done without understanding what was really certified and how in-depth the
certification was, which is where the breakdown comes. I think CC could do
better describing in layman's terms what for example the CAPP profile does
and doesn't mean. Of course if they did this is would partially undermine
the importance people place on the certification.
- Brian
On 2/18/05 4:15 PM, "Cole, John (Civ, ARL/CISD)" <email@hidden> wrote:
> Rex,
>
> The problem is that people do not read the requirements, but react to
> the certification.
> Few people read standards, but feel they must have the products that
> meet them.
> But meets what?
>
> There are those who argue, and I agree with, that such standards and
> certification actually create, as you say, less security by fooling
> people into having a false sense of safety. The burden on writers of
> requirements, whether in standards or protection profiles, is quite high
> considering how much the publc and others rely on this stamp of
> assurance.
>
> It is much easier to produce a weak or defective requirement, and market
> products blessed by the evaluation process, than to actually achieve
> security. That will continue to be the case. But professionals with
> feelings of ethics and an obligation to society will do their best to
> prevent such standards, protection profiles, and requirements from
> seeing the light of day.
>
> -Jack
>
>
>
> -----Original Message-----
> From: fed-talk-bounces+cole=email@hidden
> [mailto:fed-talk-bounces+cole=email@hidden] On Behalf Of
> Rex Sanders
> Sent: Thursday, February 17, 2005 2:45 PM
> To: Fed Talk
> Subject: RE: [Fed-Talk] [Announce] Common Criteria Certification!
>
>
> For one perspective on Common Criteria certification, and the Windows
> 2000 CAPP/EAL4 certification, written in understandable English, see:
>
> http://eros.cs.jhu.edu/~shap/NT-EAL4.html
>
> After reading this, I'm sorry that vendors must spend so much money to
> certify obsolete operating systems and applications (because the process
> takes so long) using vague criteria that don't improve security very
> much, despite being required by many Government agencies.
>
> But that's just my opinion.
>
> -- Rex
>
> At 1:25 PM -0500 2/17/05, Brian Raymond wrote:
>> That's good news and will help Apple gain access to some new things.
>>
>> I know Apple just received their EAL3 certification but in my
>> experiences we can't do much with it until EAL4 so I wanted to ask what
>
>> the plans are to push for an EAL4 certification? The fact that MS has
>> an EAL4 for Windows 2000 gives a lot of people ammunition to throw back
>
>> when trying to push for OSX or Linux. I've run into it myself when
>> pushing for Linux, thankfully EAL4 is currently being worked for both
>> Redhat's enterprise Linux and Suse.
>>
>> For people who wonder how MS would have received a certification to
>> EAL4 read up on what the CAPP profile is and what it means and you can
>> see how.
>>
>> - Brian
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden