Windows 2000 declared secure
Julien WILK
gizmo at generikz.com
Sat Nov 2 19:15:19 EST 2002
Well,
Actually this is not completely true. If the Certification Lab is also the
Validation body, then the Certificate is only limited to the country of
Certification release.
Precisely in Germany (among other countries), you can get a EAL 4+
certification from a Laboratory... who's conducting the Evaluation too. They
even will write the needed documentation for you if you pay a fee for each
day spent.
I've been looking for the entities which are assumed to have delivered the
Validation and Certification to Win2K sp3 and couldn't find any described
nowhere.
Also the Security Target can be really narrowed down to the minimum you want
to get a certificate for. Example: GemPlus got an EAL 5+ on one of their
smartcard product. That was major news at that time... only that the only
target tested was the code used to load/delete Java applets on one of their
Smartcard OSes. The rest of the platform (and it was quite huge compared to
these few lines tested) was not in the target. Typical marketting BS. If
your whole target is not good enough to get your EAL 4+, then cut it down to
what *is* good enough and get your approval...
By the way, the augmentation granted to Win2K sp3 only covers the fact that
they will work on patches when new flaws will be unveiled or new bugs
discovered. There is no pro-active search of security holes implicated in
the level of security level they got.
If you read it completely... Win2Ksp3 is just what we know it to be: just
good enough by the time the last Service Pack was released but will soon
suffer from new troubles. The EAL Certification is only relevant on the day
it's granted, then you need to go all along through the maintenance process.
Rgds,
Julien
Jonathan S. Shapiro wrote:
>
> Context: There are international mutual-recognition treaties covering
> EAL4 and below, so if you get an EAL4 evaluation in Germany, it's
> accepted as binding in the US. Above EAL4 there is no mutual
> recognition.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list