well, standards and efforts to get useful tings are always a good the thing.
The problem I see here is that:
- this stuff generally requires much work for developpers. for this reasons,
it is rarely correctly implemented, if not at all.
- the certification process is relatively expensive (much work is needed for
a "serious" system).
hence, the motivation for the certification is generally a purely marketing
decision, except when
it is imposed by an important customer (such as military organizations). but
then the customer pays (indirectly)
for the process.
- this stuff specifies directions and methods, and let implementors free.
This is the right
thing, since one shoul not limit creation. The bad side is that the
certification program is then
hardly "precise". you can certify almost anything, since this simply means
"the product is certified
to work as specified in the TOE".
- "normal" customers get excited at diplomas and certificates without any
care to what has exactly been
certified. So, they then buy products not adapted to their needs and boycott
other products that may be
what they really need.
yes, these problems are more social and economical than technical, but can't
anything be done to make things better?
I think of something like deriving product categories with "exact"
definitions and only delivering specific certificates
for products that exactly match their definitions. to be more precise,
saying that "a firewall is certified" is a
thing that I'm not interested in, while having "this FW is certfied to be a
category F234" will be more helpful.
Of course, I may be wrong in part or all what I say (I however act as
specified in my certificate of birth).
regards,
mouss
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Roland Mueller
> Sent: Monday, March 27, 2000 9:42 PM
> To: Ng, Kenneth (US)
> Cc: [EMAIL PROTECTED]
> Subject: Re: Common Criteria?
>
>
> Well, let's state the following:
>
> CC is a way to assure that products meet IT security functionalities as
> defined in this standard. The official standard CC (or ISO IS 15408) is
> available at the nist home page (http://csrc.nist.gov/cc/), they also
> provide some useful info.
>
> It is an extremely work-intensive effort to get a product evaluated but
> it helps the developers as well as the users for the developers get
> enforced to document everything - even their testing. And when I
> consider how many patches are needed in products then a more diligent
> approach is urgently needed. And that's for the benefit of the
> customers.
>
> Roland
>
> BTW, ISO 9000 is a standard that - if used in its intention - helps
> streamlining business processes. If you misuse it then it helps
> documenting bad business processes. It is up to the user what he does
> with ISO 9000. I am no fan of ISO 9000 but I know that some companies
> used it well and it helped them.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
