Common Criteria?

Linda Walsh law at
Wed Apr 19 22:30:18 GMT 2000

> Jeff DeMello wrote:

> > What are the benefits:  Products evaluated under the CC are formally mutually recognized in the United States, Canada, France, Germany, the United Kingdom, Australia, New Zealand, Finland, Italy, Norway, Netherlands, Sweden, Switzerland, and informally elsewhere.
> > ---
> > The latest mutual recognition documents I've seen have only included
> > 6 countries.  The UK, France, Netherlands, Canada, Germany and the US.  Could
> > you point me to a document on the '' or the
> > documentation site documenting the other countries?  I
> > don't want to requote you w/o being able to cite an original source.

> The source of my information was ...
	I checked the site.  Careful reading shows 2 agreements in place.
One is recognition up to EAL4 by:
	Australia, Canada, France, Germany, Netherlands, New Zealand. UK and US.

The 2nd agreement is to recognize CC evaluations up to EAL7.  Parties to this 
agreement only recognize certifications done by the European Commision's 
SOG-IS- (Senior Officials Group for Information Security) -qualified certifiers
(in Europe).  These countries are:
	Finland, Italy, Norway, Netherlands, Sweden, Switzerland and United Kingdom.

	In any case, EAL<anything> requires some certification process -- part
of the requirements include "Evaluator Actions".  So certification is a moot
point unless someone pays.  Now all of the necessary Developer and Documentation
steps can be completed for a given EAL, which could make some company sit
up and notice most all of the work is done.  But that's uncertain.  SGI intends
to do it for Linux since we want to be able to sell IA64 boxes running Linux
into Dod government sites (which will require CAPP by next year).  In any
event you still have the Functional set to choose.  US gov will want CAPP and
LSPP.  Who knows what commerce would want.  Perhaps Clark-Wilson (Data 
Integrity/ Database Oriented) or Chinese Wall (information seperation 
to prevent conflicts of interest within a company)?  Maybe the designed
security model can be used to implement more than one protection profile /
security need (or target).

No confusion here...nope clear as your typical SF late afternoon day when the fog
rolls in.  ;-/  If I didn't have more work to do a beer would be good about now.


Linda A Walsh                    | Trust Technology, Core Linux, SGI
law at                      | Voice: (650) 933-533
To Unsubscribe: send mail to majordomo at
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list