IDS mailing list archives

Re: [IDS] IDS Common Criteria

From: Frederick M Avolio <fred () avolio com>
Date: Tue, 07 Jan 2003 09:15:13 -0500

Outside Government and Military circles where I can see Common Criteria
Certification being extremely useful,  how valuable is it, ie within the
financial sector etc ?  More importantly what are it's failings?

CAVEAT: My direct knowledge of the CC is about 2 years old. Maybe thingsare better. I doubt it.

The Common Criteria has all the markings of what it is: a governmentcreated and organized, committee deliberated, process. (That's meant to bereally negative, for those who like such things, and exclaimed, "Cool!")Notice the definition on their web page: "The Common Criteria representsthe outcome of a series of efforts to develop criteria for evaluation of ITsecurity that are broadly useful within the international community."

The "warning signs" are "series of efforts" and "broadly useful." (And itis over 600 pages.) The CC is a standard for measurement. But there is no"Firewall test," not "IDS test," etc. As long as you understand that it isa set of specific criteria in standard format against which a vendor candocument any product, there is no problem.

Example: If we had such a thing for automobiles, you'd be able to lay achart for every one next to the other and compare across for the things youcared about. They would all use standard notation for the same features.

Wait... that sounds really useful. Yes, except -- using the example I justgave -- you have to create the tables and you have to know the code namefor each feature. Oh, and the manufacturer gets to decide what features tohighlight and what to leave out. There is no requirement to include andspecific criterion. It is *not* a Consumer Reports (sorry, I realize someof you don't know what I mean) evaluation of products with identicalselection criteria reporting how each product fared.


Is Common Criteria useful? I don't see how it is.

Fred
Avolio Consulting, Inc.
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/

Current thread:

IDS Common Criteria Talisker (Jan 06)
- Re: [IDS] IDS Common Criteria Frederick M Avolio (Jan 07)
  - Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
    - Re: [IDS] IDS Common Criteria Frederick M Avolio (Jan 07)
    - Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
    - Re: [IDS] IDS Common Criteria Talisker (Jan 07)
    - Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
    - RE: [IDS] IDS Common Criteria Greg van der Gaast (Jan 08)
- RE: IDS Common Criteria Greg van der Gaast (Jan 07)
- Re: [IDS] IDS Common Criteria Randy Taylor (Jan 07)
- <Possible follow-ups>
- RE: IDS Common Criteria Greenspan, Howard (Jan 07)
- RE: IDS Common Criteria Alan Shimel (Jan 07)

(Thread continues...)