Re: Can ISO15408 evaluated products be trusted?

[Valdis.Kletnieks () vt edu]

On Wed, 18 May 2005 08:25:32 PDT, Nora Barrera said:
> Does anybody understand what is really tested during
> an evaluation, or is it just bullshit?

Ask the vendor for a copy of the evaluation report.  

http://csrc.nist.gov/cc/

The *important* part you want to find is the 'Protection Profile' that
it was evaluated against - this replaces the old C1/C2/B1/B2/A levels
in the old DOD Orange Book. Note *very* carefully this change from
Orange Book:

There are *two* components - the Protection Profile (how much stuff the system
is designed to protect) and the EAL (evaluation assurance profile) (how good/
thorough a job the system does).  So it's possible to get a very high rating on
a not-very-protective profile (and in fact, many vendors have done this).

http://niap.nist.gov/cc-scheme/pp/index.html has a list of profiles.

Note that the EAL and PP interact - a CAPP (Controlled Access) evaluated at EAL4
may actually provide less *real* protection than an LSPP (Labeled System) evaluated
to EAL3 - the EAL4 just means they've done more work to prove the *provided*
security works as advertised.

The NSA reportedly did an EAL7 light switch.  They did a *LOT* of work proving
there was no possible way to subvert any of the security mechanisms the light
switch provided. :)

(And yes, many vendors went for an EAL4 on a lower protection profile instead
of an EAL3 on a profile that required more features - don't let Microsoft, IBM,
Suse, or *anybody* brag up that EAL4 till they tell you what profile it was aginst ;)

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/