What is Common Criteria EAL4 Certification and should we care? How does it fit in with ITSEC and ICSA? Does any of this matter really? Henry Lemon mailto:LemonHLat_private Aristech Chemical Corporation c=US;a=MCI;p=Aristech;s=Lemon;g=Henry phone: 412-433-7835 fax: 412-467-2001 -----Original Message----- From: Marcus J. Ranum [mailto:mjrat_private] Sent: Thursday, February 03, 2000 11:31 AM To: Rick Smith; Craig Martin; firewall-wizardsat_private Subject: Re: Firewalls - ITSEC Rating? >The ITSEC evaluation says that the product met the requirements documented >in its "Security Target" document. Right, if I understand correctly, it's a lot like those ISO9000 deals - you're evaluated on whether or not you actually do what you claim to do. And, since everyone's claims can be subtly different, in the end the evaluation is useless because a user of the evaluated product has to re-evaluate the product to see if the claims make sense for their purpose. I once thought about trying to get a 10baseT hub ITSEC evaluated as a firewall (albeit a very permissive one) but the mountains of paperwork and the huge amount of time and money necessary are daunting. I'm sure that many on this list will be shocked to hear me say this, but the ICSA firewall product certification is orders of magnitude more valuable to real customers than ITSEC evaluation. mjr.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:46 PDT