Common Criteria?

Linda Walsh law at sgi.com
Tue Apr 18 22:49:17 GMT 2000 

> Jeff DeMello wrote:

> If I were producing a product to be evaluated the only logical choice is a CC evaluation.  Why?  It's not free anymore:  NSA doesn't perform free evaluations anymore, they are done by NSA licensed evaluation firms, such as Arca Systems, and you must pay for them!  If you had to pay for an evaluation, why not pay for a CC evaluation, and reap the benefits. 
---
	I don't think anyone's going to argue benefits.  You are coming from
the 'I know better than you' place...which isn't real "user-friendly"
regardless of its truth and accuracy.  I've known about Orange Book 
reputationally for about 6 years.  I only heard of CC and CAPP/LSPP this
year.  It's just that the older stuff is better known.  I think anyone
knowing about CC would go for that so why come down so harsh and all "you're
so dumb for implementing B1" when its simply about education.  You might
ask if anyone knows about CC before coming out full guns of why it is
better -- everyone would likely agree with you up front.  I love your
experience profile -- you wouldn't be interested in working at SGI to
get up a CAPP/LSPP cert'ed modular security system that could be used
on Linux or BSD systems, would you?  :-)


What are the benefits:  Products evaluated under the CC are formally mutually recognized in the United States, Canada, France, Germany, the United Kingdom, Australia, New Zealand, Finland, Italy, Norway, Netherlands, Sweden, Switzerland, and informally elsewhere.
---
	The latest mutual recognition documents I've seen have only included
6 countries.  The UK, France, Netherlands, Canada, Germany and the US.  Could
you point me to a document on the 'commoncriteria.org' or the 
www.radium.ncsc.mil documentation site documenting the other countries?  I
don't want to requote you w/o being able to cite an original source.


> > Given that currently the TrustedBSD project does not have much in
> > the way of funding and support, evaluation is not being planned for,
> > although it is being designed and documented with that in mind.  Now would
> > be the time to retarget evaluation criteria, if necessary.
> Given my statements above, I still have the question.  Why is Trusted BSD being designed and documented with the Orange Book in mind?  
---
	Because maybe everyone hasn't been in the security field as long
as you have.  Come on, remember what it was like when you started?  Did you
know all the sources, all the resources?  Etc.  

> END SOAPBOX   ;-)
> 
> I hope that helps!
---
	Woulda been better w/o the soap...I have bubbles in my mouth.

	BTW, minor nit...you said "certificates are mutually recognized by those
countries up the the EAL4 assurance level (which is about the same level of assurance required of B1)".  B1 equivalent, LSPP, actually requires a Evaluation
Assurance Level of '3' as does the C2 equivalent (CAPP).  

	You can find the latest LSPP and CAPP documents on www.radium.ncsc.mil
under the computer eval part, Protection Profiles.

	I have a 25 page regurgitation of the EAL3 requirements needed
for LSPP and CAPP if anyone is interested.  I could save it as HTML --
It is *purely* for my own edification to more fully understand the requirements
and should be viewed as such.  I'm still working on a useful regurgitation
of the CAPP functional specs -- I likely won't be doing LSPP for a while
unless I get *real* motivated, since our first priority is just meeting 
CAPP.  

-l

-- 
Linda A Walsh                    | Trust Technology, Core Linux, SGI
law at sgi.com                      | Voice: (650) 933-5338
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list