Jim Hughes raises some good questions. Let me take them in turn: > I will quote (from the CAPP document) a few paragraphs below > where Johnathon quoted: > > 1.3 Strength of Environment > > The CAPP is for a generalized environment with a moderate level > of risk to the assets...
The word "moderate" here is very unfortunate. In reading such statements, one needs to understand a bit of subtext. The Common Criteria community is very concerned about the possibility that people will perceive assurance as impossibly difficult. In consequence, there has been a tendency to a form of "grade inflation." The effectiveness of the levels is modestly exaggerated, and the importance of going for higher levels is grossly understated. One unfortunate consequence is that NSA has seen no need to publish guidelines on performing higher-level evaluations, because their has been no demand. I think the best way to understand "moderate" in this context is to read it as "low". When "moderate" became the preferred term for this level, machines were not routinely connected to the internet. > ...The assurance level [of CAPP] is EAL 3 and the minimum > strength of function is SOF-medium. > > But the press release states NT-2000 achieved EAL-4? This is indeed a contradiction. If you go back and look at some of the documents on the Microsoft web, you'll see that they added a few items in addition to CAPP. I haven't gone through them in detail, but my guess is that these additions were intended to augment CAPP just enough to make a minimal EAL4 evaluation outcome permissable. > >From http://www.commoncriteria.org/docs/EALs.html the differences > between EAL3 and EAL4 are: > > EAL3 - methodically tested and checked > EAL4 - methodically designed, tested and reviewed > > Is it arguable that the difference is minimal. Is there a more formal > description of what can be done with an EAL3 vs an EAL4 device? Actually, the gap is significant and meaningful. In an EAL3 evaluation it is basically sufficient to show that you have a systematic QA process in place and that you are using it. No substantive examination of the design documents occurs. With EAL4, the evaluators examine the design documents. The look at the overall comprehensiveness of the design docs and check whether those docs actually address the requirements of the protection profile. To achieve EAL4 you actually need to have a design. shap --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
