Re: [ISN] ICSA Awards First Biometric Certification

From: mea culpa (jerichot_private)
Date: Tue Apr 28 1998 - 02:06:04 PDT

  • Next message: mea culpa: "[ISN] Pentagon Challenges Claims Of Hackers"

    Reply From: Vin McLellan <vint_private>
    >[Moderator: A while back, someone posted a great list of questions that
    > focused on what it took to get (then) NCSA certified. And I can't help
    > but wonder those same questions now. Do you need to be a paying member of
    > the ICSA to get certified? Can non-members achieve the same
    > certification? And lastly, what makes the ICSA such experts that they can
    > certify these companies?]
    	ICSA is, of course, a for-profit firm which gathers a group of
    vendors into a technology-defined "consortium," then negotiates a series of
    lowest-common-denominator standards among them -- against which all
    applicants (each of which is a member of the consortium) for
    "certification."  It is a commercial business model which has given rise to
    a good deal of cynicism on the Net's infosec forums, where it has been
    repeatedly suggested that ICSA's firewall certification means about what it
    costs -- something like $40K.
    	I think the cynicism is a little overdone in this case.  The money
    is a real issue. Beyond that, it is also true that the vendors define a
    standard they can make -- not necessarily the best one, or the one which
    will best or most effectively protect the corporate or government user.
    	On the other hand, the ICSA standards set by the other consorita
    have historically gotten higher and higher as the technology (and the
    certification process) evolves, raising the minimal technical standard.  In
    biometrics, there is probably more to it than that. Biometrics is unusual
    in that a large group of government agencies -- led by the NSA, but with
    other serious potential buyers in the game -- took the initiative a decade
    ago to develop minimal standards and a benchmark system. (It probably says
    something that this user group grabbed the name "Biometric Consortium"
    early -- rather than let a vendors'group claim it. See:
    	So, in this unusual situation, the ICSA had to deal with two
    technically savvy consortia when they shaped the standards for biometric
    evaluation: the vendors and the most likely big buyers. US federal and
    state agencies, and overseas governments, are serious players in
    biometrics. Today, they are the largest current market for biometric
    authentication technologies: for population control (passports,
    immigration, border control) and anti-fraud system (particularly in
    government relief payments, where strong authentication could save
    billions.)  The corporate market, let along the consumer markets, are still
    aborning -- so the government guys, real buyers, (typically much more
    sophisticated than the corporate buyers at the moment) demanded real
    standards for biometric authentication.
    	In short, this ICSA biometric certification is probably held ot a
    higher standard than is typically the case with a wholly vendor-dominated
    ICSA certification group.  It remains to be seen, however, how well ICSA
    (or the Biometric Consortium, for that matter) has or will address the
    multitude of unsettled privacy, security-design, and public policy issues
    that surround specific and/or widespread implementations of biometrics for
    either identification or authentication.
    	My two cents.
          Vin McLellan + The Privacy Guild + <vint_private>
      53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
                             -- <@><@> --
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Dimensional Communications (

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:51:51 PDT