At 11:27 AM 7/27/99, Peter Gutmann wrote: >(Given that NT now has a UK E3 certification, I don't think you need to get >it recertified in the US, since it's transferrable to all participating >contries, so I don't think it'd have to be certified by the above lab). I'm not sure this is true. The only agreements I've been able to find to formally cross-recognize evaluations is for the Common Criteria. So an EAL4 certification would be recognized but an (arguably) equivalent E3 based on the UK ITSEC would not. Of course, this assumes that some enterprise has a formal, non-negotiable requirement for a product that has been evaluated and certified under security criteria recognized by the US government. As far as I can tell, NOBODY really has this requirement any more, or at least they don't seem to enforce it if they do. The practical situation is that people who are comforted by evaluations will probably accept any approval they can find as long as the host government is considered tolerably friendly. Rick.
