"William H. Geiger III" <[EMAIL PROTECTED]> writes: >In <v0421012db3be70faae9c@[207.244.108.87]>, on 07/23/99 > at 03:20 PM, Robert Hettinga <[EMAIL PROTECTED]> said: >>>The Financial Services Security Laboratory will open July 28 in >>>Reston, Va. The facility will be used to test software packages against >>>a set of standards for securing e-commerce and bill-payment >>>applications, as well as browsers and operating software. >Well I have my doubts on this. Either they refuse to certify Microsoft & >Netscape software and alienate 90% of the consumer market, or they do certify >them making their certification worthless. Actually there's a way you can manage this (which was used by MS to get NT's ITSEC E3 certification in the UK): 1. Define your own TOE (target of evaluation) for the certification (translation: lower your expectations to the point where they're already met). 2. Have the product certified to your own TOE. 3. Mark the TOE "Microsoft Confidential" and don't let anyone see it (leading to considerable speculation about how you could possibly manage to write a TOE which would allow NT to get an E3 certification). 4. Tell everyone you have an E3 certified OS and sell it to government departments as secure. This isn't to say that the certification process is a bad thing. If it's done properly it can lead to a reasonable degree of assurance that you really do have a secure product, which is exactly what was intended. Unfortunately if all you're interested in is filling a marketing checkbox, you can do this as well. This was the Orange Book's strength (and weakness), it told you exactly what you had to do to get the certification so you couldn't work around it with fancy footwork. OTOH it was also inflexible and had requirements which didn't make sense in many instances, which is what lead to the development of alternatives like ITSEC/the Common Criteria. For all its failings I prefer the Orange Book (if it can be made to apply to the product in question) because that way at least you know what you're getting. (Given that NT now has a UK E3 certification, I don't think you need to get it recertified in the US, since it's transferrable to all participating contries, so I don't think it'd have to be certified by the above lab). Peter.
