[Cryptography Team] Todays Meeting update
Cerebus
cerebus2 at gmail.com
Fri Dec 1 15:31:00 UTC 2006
On 12/1/06, Ron Teitelbaum <Ron at usmedrec.com> wrote:
> Tim could you explain this in more detail?
>
> > You get EAL2 just for showing up at the meetings is what I hear. :)
http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
"""
EAL2: Structurally Tested
EAL2 requires the cooperation of the developer in terms of the
delivery of design information and test results, but should not demand
more effort on the part of the developer than is consistent with good
commercial practice. As such it should not require a substantially
increased investment of cost or time. EAL2 is therefore applicable in
those circumstances where developers or users require a low to
moderate level of independently assured security in the absence of
ready availability of the complete development record. Such a
situation may arise when securing legacy systems
"""
Basically, EAL2 says "It works and there's at least some evidence
provided that it was designed," i.e., the developer showed up at the
meetings. EAL1 says "It works but nobody showed it works on purpose,"
i.e., the developer didn't show any design documentation, or didn't
have any design documents to show.
EAL3 and 4 are where the stringency takes hold.
-- Tim
More information about the Cryptography
mailing list