Reply From: Vin McLellan <vint_private> >[Moderator: A while back, someone posted a great list of questions that > focused on what it took to get (then) NCSA certified. And I can't help > but wonder those same questions now. Do you need to be a paying member of > the ICSA to get certified? Can non-members achieve the same > certification? And lastly, what makes the ICSA such experts that they can > certify these companies?] ICSA is, of course, a for-profit firm which gathers a group of vendors into a technology-defined "consortium," then negotiates a series of lowest-common-denominator standards among them -- against which all applicants (each of which is a member of the consortium) for "certification." It is a commercial business model which has given rise to a good deal of cynicism on the Net's infosec forums, where it has been repeatedly suggested that ICSA's firewall certification means about what it costs -- something like $40K. I think the cynicism is a little overdone in this case. The money is a real issue. Beyond that, it is also true that the vendors define a standard they can make -- not necessarily the best one, or the one which will best or most effectively protect the corporate or government user. On the other hand, the ICSA standards set by the other consorita have historically gotten higher and higher as the technology (and the certification process) evolves, raising the minimal technical standard. In biometrics, there is probably more to it than that. Biometrics is unusual in that a large group of government agencies -- led by the NSA, but with other serious potential buyers in the game -- took the initiative a decade ago to develop minimal standards and a benchmark system. (It probably says something that this user group grabbed the name "Biometric Consortium" early -- rather than let a vendors'group claim it. See: http://www.biometrics.org/) So, in this unusual situation, the ICSA had to deal with two technically savvy consortia when they shaped the standards for biometric evaluation: the vendors and the most likely big buyers. US federal and state agencies, and overseas governments, are serious players in biometrics. Today, they are the largest current market for biometric authentication technologies: for population control (passports, immigration, border control) and anti-fraud system (particularly in government relief payments, where strong authentication could save billions.) The corporate market, let along the consumer markets, are still aborning -- so the government guys, real buyers, (typically much more sophisticated than the corporate buyers at the moment) demanded real standards for biometric authentication. In short, this ICSA biometric certification is probably held ot a higher standard than is typically the case with a wholly vendor-dominated ICSA certification group. It remains to be seen, however, how well ICSA (or the Biometric Consortium, for that matter) has or will address the multitude of unsettled privacy, security-design, and public policy issues that surround specific and/or widespread implementations of biometrics for either identification or authentication. My two cents. _Vin ----- Vin McLellan + The Privacy Guild + <vint_private> 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> -- -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: Dimensional Communications (www.dim.com)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:51:51 PDT