2000-03-27-13:49:39 Ng, Kenneth (US):
> Just saw the following on cnn.com:
> http://cnn.com/2000/TECH/computing/03/27/secure.standard.idg/index.html
For people who don't want to wait for c. 50KB of noise to come down,
so they can read the 1KB of text wadded into the middle of it, this
was a marketing piece by someone trying to push Common Criteria
certification; it claimed that every major industry segment that
cares about security has embraced the CC, and regards them as an
appropriate way to shop for secure gear.
For what it's worth, a C-C certification probably isn't any more
destructive than an ISO-9000 certification. Also, it probably
doesn't say anything more about whether the product in question is
appropriate for a given security-critical application.
The Common Criteria are the descendant of the rainbow book Trusted
Product Evaluation Program.
Once we figure out what security is, and how to specify it properly
in a design, then we can start working on certification programs.
At the moment, I only know of two people who design secure computer
systems, and neither of them have anything to do with the C-C. Or
the TPEP.
There are some TPEP evaluated OSes out there.
If I wanted to build a secure server, I'd have more confidence in a
well-seasoned open source OS running suitably-chosen components,
like e.g. openssh, postfix or qmail, dnscache, and so forth.
-Bennett
PGP signature
