[Cryptography Team] Todays Meeting update AND Eval Islands as
Security Component
Ron Teitelbaum
Ron at USMedRec.com
Fri Dec 1 15:58:10 UTC 2006
Thanks Tim,
Based on that, if we design and distribute security components for Squeak
and we want to be CC evaluated we should at a minimum shoot for level 3. We
should revisit this when we have standard security components to offer.
All,
Would anything within Islands meet the criteria for a security component and
be eligible for, or be contained in any existing security target, or
protection profile? (Again my apologies for not being able to review it)
Ron
> -----Original Message-----
> From: Cerebus [mailto:cerebus2 at gmail.com]
> Sent: Friday, December 01, 2006 10:31 AM
> To: Ron at usmedrec.com; Cryptography Team Development List
> Subject: Re: [Cryptography Team] Todays Meeting update
>
> On 12/1/06, Ron Teitelbaum <Ron at usmedrec.com> wrote:
> > Tim could you explain this in more detail?
> >
> > > You get EAL2 just for showing up at the meetings is what I hear. :)
>
> http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
>
> """
> EAL2: Structurally Tested
>
> EAL2 requires the cooperation of the developer in terms of the
> delivery of design information and test results, but should not demand
> more effort on the part of the developer than is consistent with good
> commercial practice. As such it should not require a substantially
> increased investment of cost or time. EAL2 is therefore applicable in
> those circumstances where developers or users require a low to
> moderate level of independently assured security in the absence of
> ready availability of the complete development record. Such a
> situation may arise when securing legacy systems
> """
>
> Basically, EAL2 says "It works and there's at least some evidence
> provided that it was designed," i.e., the developer showed up at the
> meetings. EAL1 says "It works but nobody showed it works on purpose,"
> i.e., the developer didn't show any design documentation, or didn't
> have any design documents to show.
>
> EAL3 and 4 are where the stringency takes hold.
>
> -- Tim
More information about the Cryptography
mailing list