Ian J-B rites:
>The US FC-FIPS process was an attempt to produce a US version of ITSEC with
>some additional 'Quality' requirements built in. The International Common
>Criteria is hoped to produce a genuine international criteria which again
>follows the ITSEC format.
Well there was supposed to be a "Federal Criteria" which died stillborn
(possibly partially since the review conference was scheduled for The Same
Day as the Clipper review at the height of that hysteria two years ago). As a
result the only approved standards are the venerable Rainbow Series. The
Common Criteria is a wonderful thought but until it is approved for gov use,
no-one in this country is going to take an active interest.
An amusing aside was that at the IFIP conference in Curacao last year I heard
non-americans say the CC was "too American" while the Americans were saying
it was "too European" 8*).
>A C2 evaluation of a Microsoft product raises some interesting questions
>about the NCSC process. For some time now vendors wanting a C2 ticket have
>been turned away on the grounds that C2 is a trivial security level and NCSC
>didnt have time to wast on anything that wouldnt make at least B1.
Is another factor: Some time ago I was told that all testing below the B
level was transferred to NIST, NSA/NCSC now only does B1 and above. Of
course the fact that every attack I have seen in the last year has started
out at levels that are not addressed until you reach the B level might
have something to do with it.
To me, the biggest change is that back in 1991, NIST said their charter did
not include PCs, guess that has changed also.