[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Common Criteria Certification

On Friday 29 October 2004 15:45, Joe Covert wrote:
> We are considering using Debian as our OS of choice.
> Is Debian "Common Criteria Certified" and if not are there plans to get
> certification.
The Common Criteria certifications are only valid against a particular Target 
of Evaluation - i.e. a well specified system such as (in a Debian context) a 
specific set of packages - usually quite restricted - at specific version 
numbers. As soon as you deviate from the configuration which was tested for 
the certification then the certification becomes invalid.

The evaluations are useful for:

a) Firewall systems - which tend to be well bounded, with very small numbers 
of packages to consider and a slow rate of change. Note that the evaluations 
will generally only apply to the firewall itsself - not to how it protects 
your network.
b) Specialist systems with a huge budget - for example military, or key 
control systems. Again, once installed they tend to be unchanged for many 
years and the functionality is deliberately limited.
c) Everybody - because the process of looking at the system does sometimes 
uncover things which should be fixed, and when a Free Software platform is 
used then these fixes feed back to benefit all the users of that component.
d) Marketing people - the main beneficiaries - who will tend to gloss over the 
stringency of the testing criteria and the fact that the tested system may 
not be very typical and just sell you on the label. It is a bit like being 
told that the car you are looking at in the showroom is the same as the one 
which won the World Rally Championship - they are the same, apart from the 
rally one having a different engine, suspension, all the unnecessary bits 
removed from the interior and then carefully hand built by a dedicated team.

If you had plans for a substantial Debian based roll-out which would really 
benefit from evaluation to one of the EAL levels then a large systems 
integrator could certainly take your target platform through the 
certification process, but all certifications are expensive. All evaluators 
are required to have a substantial amount of training, huge quantities of 
paperwork are involved and an organisation which is registered to be able to 
perform the evaluation will have to spend a lot of money to get set up - 
which it will have to recover from its customers.

John Lines <http://www.paladin.demon.co.uk/john.lines.html>

Reply to: