Windows 2000 declared secure
Ron Luman II
ron at luman.org
Fri Nov 1 21:02:41 EST 2002
Hi Jim,
> that level of risk. The assurance level is EAL 3 and the minimum
> strength of function is SOF-medium.
>
> But the press release states NT-2000 achieved EAL-4?
It was. The CAPP only specifies the minimum assurance level required.
Common Criteria EAL4-CAPP is roughly equivalent to ITSEC E3/F-C2 which is
roughly equivalent to TCSEC (Orange Book) C2. Consequently, most
commercial unix vendors which originally obtained a C2 certification are
now obtaining a CC EAL4-CAPP certification. MS apparently decided to do
the same.
> Is it arguable that the difference is minimal. Is there a more formal
> description of what can be done with an EAL3 vs an EAL4 device?
If by 'what can be done' you are referring to recommended usage, I'm not
aware of any. If you mean functionality, then you might want to re-read
the webpage referenced in a previous message. EAL# does not specify
functionality, only assurance. In other words, what processes were
followed and how rigorously. The Protection Profile is what specifies the
functionality.
Cheers,
--Ron
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list