Understanding the Windows EAL4 rating

[Posted December 11, 2002 by corbet]

Microsoft has made a fair amount of noise about the "Common Criteria EAL4" rating recently awarded to Windows 2000. For those of you who are curious about what that actually means, this article by Jonathan Shapiro is well worth reading.

EAL4 means that the design documents were reviewed using non-challenging criteria. This is sort of like having an accounting audit where the auditor checks that all of your paperwork is there and your business practice standards are appropriate, but never actually checks that any of your numbers are correct. An EAL4 evaluation is not required to examine the software at all.

In other words, this certification does not mean a whole lot. People who are interested in the security of their systems still need to look at the systems themselves and draw their own conclusions; there is no magic rating that will take the brain work out of the process.

Understanding the Windows EAL4 rating

Posted Dec 12, 2002 22:25 UTC (Thu) by construx (guest, #7694) [Link]

Some interesting commentary on Shapiro's article in the latest RISKS:

http://catless.ncl.ac.uk/Risks/22.42.html#subj10

I'm not sure I completely agree with either viewpoint, but the RISKS post sheds some light on the Common Criteria evaluation process.

In the end, I think the security of an operating system is and should be judged more on its performance in the real world than in any static evaluation process. Already this month we've had two "critical" and one "important" security bulletins from Microsoft, and it's only the 12th.