mailing list archives
Re: Can ISO15408 evaluated products be trusted?
From: Valdis.Kletnieks () vt edu
Date: Wed, 18 May 2005 14:45:20 -0400
On Wed, 18 May 2005 08:25:32 PDT, Nora Barrera said:
Does anybody understand what is really tested during
an evaluation, or is it just bullshit?
Ask the vendor for a copy of the evaluation report.
The *important* part you want to find is the 'Protection Profile' that
it was evaluated against - this replaces the old C1/C2/B1/B2/A levels
in the old DOD Orange Book. Note *very* carefully this change from
There are *two* components - the Protection Profile (how much stuff the system
is designed to protect) and the EAL (evaluation assurance profile) (how good/
thorough a job the system does). So it's possible to get a very high rating on
a not-very-protective profile (and in fact, many vendors have done this).
http://niap.nist.gov/cc-scheme/pp/index.html has a list of profiles.
Note that the EAL and PP interact - a CAPP (Controlled Access) evaluated at EAL4
may actually provide less *real* protection than an LSPP (Labeled System) evaluated
to EAL3 - the EAL4 just means they've done more work to prove the *provided*
security works as advertised.
The NSA reportedly did an EAL7 light switch. They did a *LOT* of work proving
there was no possible way to subvert any of the security mechanisms the light
switch provided. :)
(And yes, many vendors went for an EAL4 on a lower protection profile instead
of an EAL3 on a profile that required more features - don't let Microsoft, IBM,
Suse, or *anybody* brag up that EAL4 till they tell you what profile it was aginst ;)
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/