I'm sorry but this is just clap trap and as one of the other posters has mentioned you clearly know little about what you're talking about.
CC is a framework for testing products against an understood standard set of criteria to evaluate it's doing it's job. There are 7 levels of certification (EAL1-EAL7) which require different levels of thoroughness. EAL4, for example, is likely to be the first time you'd look at the source code of the product.
Broadly, it's a combination of checking procedural measures are in place and that good coding standards have been followed during it's development along with, at the later levels (4 upwards), checking that the product actually does what it says it does and cannot easily be subverted into doing something else.
Windows has done this for all it's server OS' going back to NT4 and laterly has been doing it for XP too. The ONLY reason they do this is because it's almost impossible to sell into government without it. Governments don't care so much about the OS but they DO care about the security of the products and will often choose an inferiour product thats certified over a better product that isn't. Policy often mandates that you use product with certain levels of evaluation. EAL4 is generally regarded the entry point where CC matters, before that it's just a paper pushing exercise and has little value to the security of a system or the product(by little I don't mean none!)
If you look at the sponsors for putting Redhat and Suse through evaluation (IBM, HP and Oracle mainly) it is almost always done because they want to use those products in a govenmental solution and has nothing to do with some alturistic desire to make sure the products are secure.
The Protection Profiles you allude to are augmentations to the main CC standards. They are in place to provide a recognised baseline and, if you like, framework for testing very specific capabilities in a unified and recognised way. For example, you might have a protection profile for message labeling which sets out what a good, secure message labeling system should do, should support and should be capable of doing. This is done so that you then know that all message labeling systems meeting that PP are up to a set minimum standard of capability and security. This doesn't mean that a lot of other stuff isn't covered by the main CC evaluations it just means that they test very specific things that are relevant to that specific component.
It's amazing what people mod up when they don't understand what they're talking about.
Slashdot Mirror
I'm sorry but this is just clap trap and as one of the other posters has mentioned you clearly know little about what you're talking about.
CC is a framework for testing products against an understood standard set of criteria to evaluate it's doing it's job. There are 7 levels of certification (EAL1-EAL7) which require different levels of thoroughness. EAL4, for example, is likely to be the first time you'd look at the source code of the product.
Broadly, it's a combination of checking procedural measures are in place and that good coding standards have been followed during it's development along with, at the later levels (4 upwards), checking that the product actually does what it says it does and cannot easily be subverted into doing something else.
Windows has done this for all it's server OS' going back to NT4 and laterly has been doing it for XP too. The ONLY reason they do this is because it's almost impossible to sell into government without it. Governments don't care so much about the OS but they DO care about the security of the products and will often choose an inferiour product thats certified over a better product that isn't. Policy often mandates that you use product with certain levels of evaluation. EAL4 is generally regarded the entry point where CC matters, before that it's just a paper pushing exercise and has little value to the security of a system or the product(by little I don't mean none!)
If you look at the sponsors for putting Redhat and Suse through evaluation (IBM, HP and Oracle mainly) it is almost always done because they want to use those products in a govenmental solution and has nothing to do with some alturistic desire to make sure the products are secure.
The Protection Profiles you allude to are augmentations to the main CC standards. They are in place to provide a recognised baseline and, if you like, framework for testing very specific capabilities in a unified and recognised way. For example, you might have a protection profile for message labeling which sets out what a good, secure message labeling system should do, should support and should be capable of doing. This is done so that you then know that all message labeling systems meeting that PP are up to a set minimum standard of capability and security. This doesn't mean that a lot of other stuff isn't covered by the main CC evaluations it just means that they test very specific things that are relevant to that specific component.
It's amazing what people mod up when they don't understand what they're talking about.