I couldn't agree more.
I run a Certificate Authority for hire. We strive to use solutions that are not only certified, but certified to work together to some level of assurance. The next step for us is to have our operation of these pieces validated. The Common Criteria has plenty of Protection Profiles describing requirements for the components, but not mmuch on operational requirements.
btw, this is mandated in the German Digital Signature Law, which is a good model for what a legally binding CA service needs.
Slashdot Mirror
I couldn't agree more. I run a Certificate Authority for hire. We strive to use solutions that are not only certified, but certified to work together to some level of assurance. The next step for us is to have our operation of these pieces validated. The Common Criteria has plenty of Protection Profiles describing requirements for the components, but not mmuch on operational requirements. btw, this is mandated in the German Digital Signature Law, which is a good model for what a legally binding CA service needs.