lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <0ce601c6c90b$14714a70$ca0110ac@v2069cl>
Date: Sat, 26 Aug 2006 08:28:04 -0400
From: "Clement Dupuis" <cdupuis@...ure.org>
To: "'Nguyen Pham'" <nguyen.petronius@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, pen-test@...urityfocus.com
Subject: RE: CC evaluation

There are a few things you have to be careful with online information.  Some
of it is great and some of it is plain junk or not what I would called
researched.

 

It seems the specific portion of this paper that talks about CC is first a
cut an past of online resource and second written by someone who has done a
couple hours of reading on the subject and not thorough research as it
should be.

 

The second issue I see is the references being used are all dating back to
year 2000, six years within the information security field is like centuries
in other fields.  Things have changed a whole lot since the year 2000 bug.

 

Myself I would visit the CC website and find from the authoritative source
on the subject what a real CC evaluation is all about.  Protection profiles
are not written on the fly to satisfy vendors as claimed in this paper.
Obviously it was written by someone who was pro TCSEC.

 

Thanks for the link to the document

 

Clement

 

 

  _____  

From: Nguyen Pham [mailto:nguyen.petronius@...il.com] 
Sent: Saturday, August 26, 2006 8:09 AM
To: Clement Dupuis
Cc: pen-test@...urityfocus.com; full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] CC evaluation

 

Sorry for this missing.

This text found on this report "Evaluation of the Security of Components in
Distributed Information Systems", p20 (http://www2.foi.se/rapp/foir1042.pdf
)

Best,
Nguyen Pham.

On 8/26/06, Clement Dupuis <cdupuis@...ure.org> wrote:

Obviously this is a paragraph extracted out of context from some documents.

 

By itself it is totally wrong but it might make sense if we have access to
the whole document.

 

Depending on the EAL level being sought you might not even look at the
design process or development process at all.  Only the higher level would
require this.

 

Can you tell us where the paragraph was extracted from?

 

Take care

 

Clement

 

 

  _____  

From: Nguyen Pham [mailto:nguyen.petronius@...il.com] 
Sent: Saturday, August 26, 2006 6:32 AM
To: pen-test@...urityfocus.com; full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] CC evaluation

 

Hi all,

Could you please give your comments on the following point:

"CC is an evaluation of design methods, not an evaluation of security
functionality. It is the system development process that is being evaluated,
not the system itself. This means that the given EAL only states whether a
larger enough pile of paperwork over the design process exists or not. The
correctness and importance of those papers doase not even have to be
verified and examined". 

Thanks for your helps,
Nguyen Pham.

 


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ