Re: Common Criteria Certification
On Friday 29 October 2004 15:45, Joe Covert wrote:
> We are considering using Debian as our OS of choice.
> Is Debian "Common Criteria Certified" and if not are there plans to get
The Common Criteria certifications are only valid against a particular Target
of Evaluation - i.e. a well specified system such as (in a Debian context) a
specific set of packages - usually quite restricted - at specific version
numbers. As soon as you deviate from the configuration which was tested for
the certification then the certification becomes invalid.
The evaluations are useful for:
a) Firewall systems - which tend to be well bounded, with very small numbers
of packages to consider and a slow rate of change. Note that the evaluations
will generally only apply to the firewall itsself - not to how it protects
b) Specialist systems with a huge budget - for example military, or key
control systems. Again, once installed they tend to be unchanged for many
years and the functionality is deliberately limited.
c) Everybody - because the process of looking at the system does sometimes
uncover things which should be fixed, and when a Free Software platform is
used then these fixes feed back to benefit all the users of that component.
d) Marketing people - the main beneficiaries - who will tend to gloss over the
stringency of the testing criteria and the fact that the tested system may
not be very typical and just sell you on the label. It is a bit like being
told that the car you are looking at in the showroom is the same as the one
which won the World Rally Championship - they are the same, apart from the
rally one having a different engine, suspension, all the unnecessary bits
removed from the interior and then carefully hand built by a dedicated team.
If you had plans for a substantial Debian based roll-out which would really
benefit from evaluation to one of the EAL levels then a large systems
integrator could certainly take your target platform through the
certification process, but all certifications are expensive. All evaluators
are required to have a substantial amount of training, huge quantities of
paperwork are involved and an organisation which is registered to be able to
perform the evaluation will have to spend a lot of money to get set up -
which it will have to recover from its customers.
John Lines <http://www.paladin.demon.co.uk/john.lines.html>