> At 08:34 AM 7/1/96, gary flynn wrote:
> >> I think some important important questions need to asked:
> >> 1. Who appointed the NCSA as the proper body to approve firewalls?
> >I think your questions are valid but I think the underlying
> >principle is "lead, follow, or get the hell out of the way" :-)
Corey responded in part:
> I think you're all missing the point. I have no problem with the
> of the NCSA or any other responsible body acting as a protector of the
> public interest in insuring that all firewall products deliver the
> promised or, at a minimum, necessary to adequately protect our networks.
> The mission statement is admirable. The execution is faulty.
I think the real point is that a load of small groups are trying to
establish themselves as certification authorities on security. There are
also the national and international initiatives backed by governments.
OK US NCSC may have been too restricted in the past. ITSEC addressed most
of the major issues, and we are all supposed to be backing Common
Criteria. None of those schemes are perfect, but one of the reasons for
that is that vendors and users outside government have been very slow to
join the party. Thats meant that criteria have been driven by academics
and government officials and they dont have a really good understanding of
what drives commercial enterprises.
Rather than sulk off and try to set up many competitive partial schemes,
it would be more productive to participate in the major schemes which are
well established and try to improve them. I personally have a few
reservations about Common Criteria, but it does offer the prospect of a
true international criteria, its based on ITSEC, which was in turn an
improvement based on TCSEC, and is well worth actively supporting and
changing from within.
WRT the nasty commercial issues, no one does anything for free. TCSEC
certifications cost money, ITSEC requires the vendor to pay for
evaluation time at commercial rates, Common Criteria wont be for free.
The major differences between NCSA certification and say ITSEC are:
1. NCSA are charging a membership fee which is less than 25% of what
it would cost for an ITSEC evaluation of a firewall at E2 or E3. If NCSA
prove to do as good as or better evaluation job then they have commercial
advantage. Probability though is that their evaluation will be trivial by
comparison - if not they are sure to say so on this forum.
2. ITSEC is open (and has been since 1990) to anyone who wants to
submit a product and pay for the evaluation. You dont have to be a member
of the club. Also the criteria is public domain and the evaluators and
certifiers are not only independent of the vendor, but of eachother - you
cant get much more equal than that.
3. National and international legislation will be based on ITSEC and
CC rather than on trade groups like NCSA.