>The ITSEC evaluation says that the product met the requirements documented >in its "Security Target" document. Right, if I understand correctly, it's a lot like those ISO9000 deals - you're evaluated on whether or not you actually do what you claim to do. And, since everyone's claims can be subtly different, in the end the evaluation is useless because a user of the evaluated product has to re-evaluate the product to see if the claims make sense for their purpose. I once thought about trying to get a 10baseT hub ITSEC evaluated as a firewall (albeit a very permissive one) but the mountains of paperwork and the huge amount of time and money necessary are daunting. I'm sure that many on this list will be shocked to hear me say this, but the ICSA firewall product certification is orders of magnitude more valuable to real customers than ITSEC evaluation. mjr.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:17 PDT