Windows 2000 declared secure

Jonathan S. Shapiro shap at eros-os.org
Sat Nov 2 11:54:36 EST 2002 

Jim Hughes raises some good questions. Let me take them in turn:

> I will quote (from the CAPP document) a few paragraphs below
> where Johnathon quoted:
> 
>         1.3 Strength of Environment
>         
>         The CAPP is for a generalized environment with a moderate level
>         of risk to the assets...

The word "moderate" here is very unfortunate. In reading such
statements, one needs to understand a bit of subtext. The Common
Criteria community is very concerned about the possibility that people
will perceive assurance as impossibly difficult. In consequence, there
has been a tendency to a form of "grade inflation." The effectiveness of
the levels is modestly exaggerated, and the importance of going for
higher levels is grossly understated.

One unfortunate consequence is that NSA has seen no need to publish
guidelines on performing higher-level evaluations, because their has
been no demand.

I think the best way to understand "moderate" in this context is to read
it as "low". When "moderate" became the preferred term for this level,
machines were not routinely connected to the internet.

>         ...The assurance level [of CAPP] is EAL 3 and the minimum
>         strength of function is SOF-medium.
> 
> But the press release states NT-2000 achieved EAL-4?

This is indeed a contradiction. If you go back and look at some of the
documents on the Microsoft web, you'll see that they added a few items
in addition to CAPP. I haven't gone through them in detail, but my guess
is that these additions were intended to augment CAPP just enough to
make a minimal EAL4 evaluation outcome permissable.

> >From http://www.commoncriteria.org/docs/EALs.html the differences
> between EAL3 and EAL4 are:
> 
> EAL3 - methodically tested and checked
> EAL4 - methodically designed, tested and reviewed
>
> Is it arguable that the difference is minimal. Is there a more formal
> description of what can be done with an EAL3 vs an EAL4 device?

Actually, the gap is significant and meaningful. In an EAL3 evaluation
it is basically sufficient to show that you have a systematic QA process
in place and that you are using it. No substantive examination of the
design documents occurs.

With EAL4, the evaluators examine the design documents. The look at the
overall comprehensiveness of the design docs and check whether those
docs actually address the requirements of the protection profile.

To achieve EAL4 you actually need to have a design.


shap


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list