[Fed-Talk] Re: Common Criteria
[Fed-Talk] Re: Common Criteria
- Subject: [Fed-Talk] Re: Common Criteria
- From: John Daly <email@hidden>
- Date: Mon, 07 Mar 2005 07:11:41 -0800
On Friday, March 04, 2005, at 12:06PM, <email@hidden> wrote:
What we could really use at our shop is a tool which will compare the evaluated Common Criteria setup and compare it with the machine on which it is run, and then output the comparison. This allows a common configuration to meet security requirements, and a test suite to verify that a given system does, in fact, meet those requirements.
not wanting to duplicate effort, has anyone written such a tool?
Thanks,
John Daly
Mac geek
Technical Information Department
NAWCWD China Lake, California
> 1. Re: Common Criteria at EAL3 (Ran Atkinson)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Fri, 4 Mar 2005 08:02:14 -0500
>From: Ran Atkinson <email@hidden>
>Subject: [Fed-Talk] Re: Common Criteria at EAL3
>To: email@hidden
>Message-ID: <email@hidden>
>Content-Type: text/plain; charset=US-ASCII; format=flowed
>
>Hi,
>
>Congratulations to Apple for having obtained an EAL3 certification on
>MacOS X.
>
>However, I concur with the several comments that the Common Criteria
>certification is mostly just a "process hurdle" in selling to the US
>Government
>(and other governments).
>
>Common Criteria is a bit better in the areas where there is a
>standarised
>evaluation profile than where there is no standardised evaluation
>profile,
>but it isn't really all that meaningful to say that FOO has an EAL-N
>rating.
>To understand what a certification means, one has to read and
>understand the
>actual evaluation report -- which almost no one does. There was an
>article
>in IEEE Computer about flaws in the CC process a few years back that is
>worth reading. (Aside: the most notorious example of flawed evaluations
>is probably a formal Windows NT evaluation that was valid only for
>systems
>that did NOT have any network interface, even though virtually all
>deployed
>NT systems included a network interface).
>
>All that said, the earlier comment that "other vendors have EAL4
>already,
>which places Apple MacOS X at a competitive disadvantage" is completely
>correct. The ugly reality is that people use EAL requirements to
>prevent
>some systems/platforms/software from being bid on an RFP. Also, other
>people are genuinely confused by this whole CC process and erroneously
>believe that any EAL4 system is better than any EAL3 system.
>
>So while Apple was smart to get the EAL3, Apple also needs to work
>towards
>getting an evaluation at least equivalent to what competitive systems
>(e.g. Windows, Solaris, Linux) have already gotten. Otherwise, Apple
>will
>continue to be locked out of a significant percentage of RFPs.
>
>Yours,
>
>Ran
>
>PS: Since CC is recognised outside the US by several other important
>governments, the potential market loss to having only an EAL3 is
>actually
>larger than just the US Government market.
>
>
>
>------------------------------
>
>_______________________________________________
>Fed-talk mailing list
>email@hidden
>http://lists.apple.com/mailman/listinfo/fed-talk
>
>End of Fed-talk Digest, Vol 2, Issue 45
>***************************************
>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden