mailing list archives
Re: CC evaluation
From: "Nguyen Pham" <nguyen.petronius () gmail com>
Date: Sat, 26 Aug 2006 14:09:25 +0200
Sorry for this missing.
This text found on this report "Evaluation of the Security of Components in
Distributed Information Systems", p20 (http://www2.foi.se/rapp/foir1042.pdf)
On 8/26/06, Clement Dupuis <cdupuis () cccure org> wrote:
Obviously this is a paragraph extracted out of context from some
By itself it is totally wrong but it might make sense if we have access to
the whole document.
Depending on the EAL level being sought you might not even look at the
design process or development process at all. Only the higher level would
Can you tell us where the paragraph was extracted from?
*From:* Nguyen Pham [mailto:nguyen.petronius () gmail com]
*Sent:* Saturday, August 26, 2006 6:32 AM
*To:* pen-test () securityfocus com; full-disclosure () lists grok org uk
*Subject:* [Full-disclosure] CC evaluation
Could you please give your comments on the following point:
"CC is an evaluation of design methods, not an evaluation of security
functionality. It is the system development process that is being evaluated,
not the system itself. This means that the given EAL only states whether a
larger enough pile of paperwork over the design process exists or not. The
correctness and importance of those papers doase not even have to be
verified and examined".
Thanks for your helps,
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/