Hi Jim, > that level of risk. The assurance level is EAL 3 and the minimum > strength of function is SOF-medium. > > But the press release states NT-2000 achieved EAL-4?
It was. The CAPP only specifies the minimum assurance level required. Common Criteria EAL4-CAPP is roughly equivalent to ITSEC E3/F-C2 which is roughly equivalent to TCSEC (Orange Book) C2. Consequently, most commercial unix vendors which originally obtained a C2 certification are now obtaining a CC EAL4-CAPP certification. MS apparently decided to do the same. > Is it arguable that the difference is minimal. Is there a more formal > description of what can be done with an EAL3 vs an EAL4 device? If by 'what can be done' you are referring to recommended usage, I'm not aware of any. If you mean functionality, then you might want to re-read the webpage referenced in a previous message. EAL# does not specify functionality, only assurance. In other words, what processes were followed and how rigorously. The Protection Profile is what specifies the functionality. Cheers, --Ron --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]