IDS mailing list archives
Re: [IDS] IDS Common Criteria
From: Frederick M Avolio <fred () avolio com>
Date: Tue, 07 Jan 2003 09:15:13 -0500
Outside Government and Military circles where I can see Common Criteria Certification being extremely useful, how valuable is it, ie within the financial sector etc ? More importantly what are it's failings?
CAVEAT: My direct knowledge of the CC is about 2 years old. Maybe things are better. I doubt it.
The Common Criteria has all the markings of what it is: a government created and organized, committee deliberated, process. (That's meant to be really negative, for those who like such things, and exclaimed, "Cool!") Notice the definition on their web page: "The Common Criteria represents the outcome of a series of efforts to develop criteria for evaluation of IT security that are broadly useful within the international community."
The "warning signs" are "series of efforts" and "broadly useful." (And it is over 600 pages.) The CC is a standard for measurement. But there is no "Firewall test," not "IDS test," etc. As long as you understand that it is a set of specific criteria in standard format against which a vendor can document any product, there is no problem.
Example: If we had such a thing for automobiles, you'd be able to lay a chart for every one next to the other and compare across for the things you cared about. They would all use standard notation for the same features.
Wait... that sounds really useful. Yes, except -- using the example I just gave -- you have to create the tables and you have to know the code name for each feature. Oh, and the manufacturer gets to decide what features to highlight and what to leave out. There is no requirement to include and specific criterion. It is *not* a Consumer Reports (sorry, I realize some of you don't know what I mean) evaluation of products with identical selection criteria reporting how each product fared.
Is Common Criteria useful? I don't see how it is. Fred Avolio Consulting, Inc. 16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US +1 410-309-6910 (voice) +1 410-309-6911 (fax) http://www.avolio.com/
Current thread:
- IDS Common Criteria Talisker (Jan 06)
- Re: [IDS] IDS Common Criteria Frederick M Avolio (Jan 07)
- Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
- Re: [IDS] IDS Common Criteria Frederick M Avolio (Jan 07)
- Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
- Re: [IDS] IDS Common Criteria Talisker (Jan 07)
- Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
- RE: [IDS] IDS Common Criteria Greg van der Gaast (Jan 08)
- Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
- Re: [IDS] IDS Common Criteria Frederick M Avolio (Jan 07)
- <Possible follow-ups>
- RE: IDS Common Criteria Greenspan, Howard (Jan 07)
- RE: IDS Common Criteria Alan Shimel (Jan 07)