Keeping an ITSEC TOE confidential is not unusual. It would be more
unusual to not keep it confidential or at least restricted distribution,
given the contents. It is a major flaw of the scheme...you are trusting
the certifier to enforce a "good" TOE if they are going to give an
E3-High rating.
In the ITSEC scheme, saying something is certified as "E3" says nothing
substantial anyway. (E levels refer to correctness of implementation,
which is quite important, but not the whole story.) You also need to
know the rating for the "strength of mechanism", which is Basic, Medium
or High. In other workds there's another work-around that is at least
as simple as what you stated:
1. Define your TOE as tough or easy as you like.
2. Do a reasonably good job of documenting your process and doing
configuration management. Don't worry about how secure your product is.
3. Do the certification process, pay the $$. Get an E3-Basic (lowest
level) rating from the certifier.
4. Tell your customers that you "passed ITSEC E3", but don't tell them
at what strength. Rely on their ignorance to not ask the most important
question.
- ml
Peter Gutmann wrote:
>
>
> Actually there's a way you can manage this (which was used by MS to get NT's
> ITSEC E3 certification in the UK):
>
> 1. Define your own TOE (target of evaluation) for the certification
> (translation: lower your expectations to the point where they're already
> met).
> 2. Have the product certified to your own TOE.
> 3. Mark the TOE "Microsoft Confidential" and don't let anyone see it
> (leading to considerable speculation about how you could possibly manage
> to write a TOE which would allow NT to get an E3 certification).
> 4. Tell everyone you have an E3 certified OS and sell it to government
> departments as secure.
>
> This isn't to say that the certification process is a bad thing. If it's done
> properly it can lead to a reasonable degree of assurance that you really do
> have a secure product, which is exactly what was intended. Unfortunately if
> all you're interested in is filling a marketing checkbox, you can do this as
> well. This was the Orange Book's strength (and weakness), it told you exactly
> what you had to do to get the certification so you couldn't work around it
> with fancy footwork. OTOH it was also inflexible and had requirements which
> didn't make sense in many instances, which is what lead to the development of
> alternatives like ITSEC/the Common Criteria. For all its failings I prefer
> the Orange Book (if it can be made to apply to the product in question)
> because that way at least you know what you're getting.
>
> (Given that NT now has a UK E3 certification, I don't think you need to get
> it recertified in the US, since it's transferrable to all participating
> contries, so I don't think it'd have to be certified by the above lab).
>
> Peter.
