Re: OpenBSD Volunteer needed today in Los Angeles - Solved!

[Aram Hăvărneanu]

On Mon, Feb 22, 2010 at 3:51 PM, Aram HDvDrneanu <ara...@mgk.ro> wrote:
> EAL4 is meaningless. The auditor is not required to view the software
> in any way (binary or source). Any vendor with money can get its OS to
> be certified at least at EAL 4 because all that means is that the OS
> has some mechanisms in place for implementing security. It does not
> guarantee that those mechanisms really work or that the OS is not full
> of security holes.
>
> Security certifications are futile. At best, they can certify the
> *model*, not the *implementation*. I seriously doubt .mil or .gov has
> such requirements for high security networks. I see this kind of
> nonsense in the Enterprise world.
>

Besides what's written above. EAL is meaningless unless you read the
Protection Profile. EAL is the assurance level *against* the
protection profile. If your PP specifies only that in your systems,
users login using passwords you can easily get EAL7, but that would be
so meaningless...

--
Aram HDvDrneanu