On Tue, Feb 02, 2010 at 02:15:00PM -0500, Brad Tilley wrote:
> Common Criteria - http://www.iso15408.net
[...]
> I think the certification process can be very narrowly focused on a
> few parts of the system
[...]
Yup, that's the whole idea behind CC - all the evaluation does is verify
the claims that the vendor has outlined in the "Security Target" (ST). The
"EAL" levels only tell you to what depth this has been done.
Hence, the "EAL" tells you zilch unless you also read the ST (i.e. the
vendor claims). In some areas (e.g. smartcards), requirements for STs
have been standardised to some extent, so the CC results are more
comparable - but in other areas, vendors can pretty much claim what they
want...
Cheerio,
Thomas
--
****** PLEASE: NO Cc's to me privately, I do read the list - thanks! ******
-----------------------------------------------------------------------------
Thomas Ribbrock http://www.ribbrock.org
"You have to live on the edge of reality - to make your dreams come true!"
