[5227] in cryptography@c2.net mail archive
Subject: Re: Security Lab To Certify Banking Applications (was Re: ECARM NEWS for July 23,1999 Second Ed.)
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Mon Jul 26 19:42:59 1999
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@c2.net, dbs@philodox.com, dcsb@ai.mit.edu
Reply-To: pgut001@cs.auckland.ac.nz
X-Charge-To: pgut001
Date: Tue, 27 Jul 1999 11:27:29 (NZST)
"William H. Geiger III" <whgiii@openpgp.net> writes:
>In <v0421012db3be70faae9c@[207.244.108.87]>, on 07/23/99
> at 03:20 PM, Robert Hettinga <rah@shipwright.com> said:
>>>The Financial Services Security Laboratory will open July 28 in
>>>Reston, Va. The facility will be used to test software packages against
>>>a set of standards for securing e-commerce and bill-payment
>>>applications, as well as browsers and operating software.
>Well I have my doubts on this. Either they refuse to certify Microsoft &
>Netscape software and alienate 90% of the consumer market, or they do certify
>them making their certification worthless.
Actually there's a way you can manage this (which was used by MS to get NT's
ITSEC E3 certification in the UK):
1. Define your own TOE (target of evaluation) for the certification
(translation: lower your expectations to the point where they're already
met).
2. Have the product certified to your own TOE.
3. Mark the TOE "Microsoft Confidential" and don't let anyone see it
(leading to considerable speculation about how you could possibly manage
to write a TOE which would allow NT to get an E3 certification).
4. Tell everyone you have an E3 certified OS and sell it to government
departments as secure.
This isn't to say that the certification process is a bad thing. If it's done
properly it can lead to a reasonable degree of assurance that you really do
have a secure product, which is exactly what was intended. Unfortunately if
all you're interested in is filling a marketing checkbox, you can do this as
well. This was the Orange Book's strength (and weakness), it told you exactly
what you had to do to get the certification so you couldn't work around it
with fancy footwork. OTOH it was also inflexible and had requirements which
didn't make sense in many instances, which is what lead to the development of
alternatives like ITSEC/the Common Criteria. For all its failings I prefer
the Orange Book (if it can be made to apply to the product in question)
because that way at least you know what you're getting.
(Given that NT now has a UK E3 certification, I don't think you need to get
it recertified in the US, since it's transferrable to all participating
contries, so I don't think it'd have to be certified by the above lab).
Peter.
