The subject of government mediated evaluations of computer security products has come up a few times on this list, so I'm taking this opportunity to ask the readership for assistance in a survey I've been working on. I'm collecting information about security product evaluations under formal criteria like the old Orange Book, the ITSEC, the Common Criteria, and similar things. The results so far are posted here: http://www.visi.com/crypto/evalhist/index.html Personally, I thought this topic was rapidly dying until I took the time to review recent evaluation activity. Here's a summary of what I've found: *) The trend is limited, but upwards. Formal evaluations hit a peak of 37 products in 1994, dropped back a bit, and then the numbers started climbing again. There were 35 evaluations finished in 1998. So far, 20 were completed this year, and 29 are in progress. *) Firewalls, VPNs, and PC security products account for a lot of the evaluations. Originally it was dominated by OSes, and DBMSes were big in 1994. *) Although the earliest evaluations took place in the US, most evaluations are now done in other countries, even for products by US vendors. US evaluations peaked in 1994 and then fell back to earlier levels, while the overall numbers are climbing. This information is based on data from the NIST/NIAP/TTEP/NSA web sites in the US, the UK web site for ITSEC and CC evaluations, and the Australian web site. Other sites seemed to only replicate that information. So I've got data on TCSEC, UK ITSEC, and Common Criteria evaluations, but nobody else. Does anyone know anything about other countries' activities and where I might find listings of their product evaluation history? Thanks much. Rick. [EMAIL PROTECTED] "Internet Cryptography" at http://www.visi.com/crypto/
