I counted 60 acronyms in the first 2 pages of the functional requirements.(TOC) A short sample: FIA_AFL, TSF(FMT_MOF),FPR_ANO, FPT_ITC, TOE TSF, FRU_RSA, FTA_MCS, FAU_GEN, FCO_NRR, FCS_CKM, FDP_ACF, etc. etc. Somone up there must LOVE abbreviations. *-----Original Message----- *From: [EMAIL PROTECTED] *[mailto:[EMAIL PROTECTED]]On Behalf Of Marcus J. Ranum *Sent: Tuesday, November 28, 2000 4:43 PM *To: [EMAIL PROTECTED] *Subject: Re: * * *Frederick M Avolio <[EMAIL PROTECTED]> writes: *>Yes I encourage anyone who thinks that the Common Criteria sounds like a *>wonderful invention to skim at least a few of the documents * *That's cruel, Fred. That stuff's completely unreadable *gibberish and you know it. The only reason anyone should *read it is if they: * a) want an example of how _not_ to convey information effectively * b) are suffering from sleep disorder and wish to become unconscious * *Here's a fun common criteria story. ;) The names have been *left out, but the story is true <dum-dah-dum-dum> - about *a year after I stopped writing firewalls for a living ('95+) *I got a call from someone who'd been working on common criteria *profiles for firewalls. They worked for one of the agencies *that helped perpetuate the whole common criteria thing, and *were very seriously into the whole concept. The guy invited *me to review and comment on the profile for firewalls (I may *have some of the terminology wrong) and offered to send it. *At that time, I had been sharpening my fangs on ICSA's ankles, *and so the whole topic of certifying firewalls was "interesting" *to me. So I agreed. Then I got this - thing - that appeared *to have been written in its own language. As I studied it *more closely, I realized that it was written entirely in *code - every term that was in common use had been redefined *into another term. In fact, the whole document appeared to *be the output of an extended game of gnomic. It was the most *amazing pile of unreadable bureaucratese - for unreadability *it beat rijdael ciphertext quite easily. So I get on the *phone with the guy, not wanting to commit my comments to *E-mail and posterity: * M: "Hi, this is Marcus. I've been reviewing the stuff you * sent and I have a couple of questions about it." * ?: "OK, sure!" * M: "Alright: where's the executive summary?" * ?: "Huh?" * M: "You know, the 1 page summary that tells a manager * what it _means_ so they don't have to read the rest?" * ?: "We don't have those. That's not what this program * is about!" * M: "Ok, then, who do you expect to use these documents?" * ?: "Security officers who are seeing if products meet the * profile for deployment." * M: "Oh, so you mean this is written in the language of * a mysterious priesthood that nobody listens to, so that * other members of the mysterious priesthood will nod * sagely? Meanwhile everyone will base their product * deployments on what they read in 'Data Communications'?"* * ... * and it went downhill from there. I fear I lost a friend. * * The DOD-oids who are working on this formal security *stuff and common criteria are the most out-of-touch people *on earth, as far as I can tell. What good is a spec that *nobody can or will read? You can't even use it as a paperweight *because it's also paper! * *(* a great and sorely-missed journal that had some top-notch *product reviews that had real teeth) * *mjr. *----- * *Marcus J. Ranum *Chief Technology Officer, NFR Security, Inc. *Work: http://www.nfr.com *Personal: http://www.ranum.com * *- *[To unsubscribe, send mail to [EMAIL PROTECTED] with *"unsubscribe firewalls" in the body of the message.] * - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
