On 3 Feb, Marcus J. Ranum wrote: > >>The ITSEC evaluation says that the product met the requirements documented >>in its "Security Target" document. > > Right, if I understand correctly, it's a lot like those ISO9000 > deals - you're evaluated on whether or not you actually do what > you claim to do. And, since everyone's claims can be subtly > different, in the end the evaluation is useless because a user > of the evaluated product has to re-evaluate the product to see > if the claims make sense for their purpose. Yep. If the product is not used under the same conditions that it was evaluated under (ie. exact same version/revision, sometimes on particular hardware, possibly with any number of other restrictions), the evaluation essentially means nothing. So a user must determine whether these restrictions make sense for them. The biggest problem I see in things like firewalls (and other fast-ish paced software/hardware) is that every version/revision must be evaluated, which means big expenditure on the part of the developer to maintain a rating. > I once thought about trying to get a 10baseT hub ITSEC evaluated > as a firewall (albeit a very permissive one) but the mountains > of paperwork and the huge amount of time and money necessary > are daunting. E1 and E2 aren't too bad, although to my mind the ratings mean little anyway. E3 and E4 start getting prohibitive, unless you're following pretty rigorous design/documentation procedures anyway. E5 and E6 are just plain horrendous! > I'm sure that many on this list will be shocked to hear me say > this, but the ICSA firewall product certification is orders of > magnitude more valuable to real customers than ITSEC evaluation. So far as I can tell, ITSEC and Common Criteria ratings are mainly used by governments when buying products (I believe an ITSEC rating is mandatory in Australia for some purchases). They can be of some use to commercial companies, but the restrictions placed on the "secure" use of them may be prohibitive. Tim. What's the difference between roast beef and pea soup? Anyone can roast beef. These are, of course, my opinions only.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:34 PDT