1. Re: Common Criteria at EAL3 (Ran Atkinson)
----------------------------------------------------------------------
Message: 1
Date: Fri, 4 Mar 2005 08:02:14 -0500
From: Ran Atkinson <email@hidden>
Subject: [Fed-Talk] Re: Common Criteria at EAL3
To: email@hidden
Message-ID: <email@hidden>
Content-Type: text/plain; charset=US-ASCII; format=flowed
Hi,
Congratulations to Apple for having obtained an EAL3 certification on
MacOS X.
However, I concur with the several comments that the Common Criteria
certification is mostly just a "process hurdle" in selling to the US
Government
(and other governments).
Common Criteria is a bit better in the areas where there is a
standarised
evaluation profile than where there is no standardised evaluation
profile,
but it isn't really all that meaningful to say that FOO has an EAL-N
rating.
To understand what a certification means, one has to read and
understand the
actual evaluation report -- which almost no one does. There was an
article
in IEEE Computer about flaws in the CC process a few years back that
is
worth reading. (Aside: the most notorious example of flawed
evaluations
is probably a formal Windows NT evaluation that was valid only for
systems
that did NOT have any network interface, even though virtually all
deployed
NT systems included a network interface).
All that said, the earlier comment that "other vendors have EAL4
already,
which places Apple MacOS X at a competitive disadvantage" is
completely
correct. The ugly reality is that people use EAL requirements to
prevent
some systems/platforms/software from being bid on an RFP. Also, other
people are genuinely confused by this whole CC process and erroneously
believe that any EAL4 system is better than any EAL3 system.
So while Apple was smart to get the EAL3, Apple also needs to work
towards
getting an evaluation at least equivalent to what competitive systems
(e.g. Windows, Solaris, Linux) have already gotten. Otherwise, Apple
will
continue to be locked out of a significant percentage of RFPs.
Yours,
Ran
PS: Since CC is recognised outside the US by several other important
governments, the potential market loss to having only an EAL3 is
actually
larger than just the US Government market.
------------------------------
_______________________________________________
Fed-talk mailing list
email@hidden
http://lists.apple.com/mailman/listinfo/fed-talk
End of Fed-talk Digest, Vol 2, Issue 45
***************************************