<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle21
{mso-style-type:personal-reply;
color:black;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>There are a few things you have to be careful
with online information. Some of it is great and some of it is plain junk or
not what I would called researched.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>It seems the specific portion of this
paper that talks about CC is first a cut an past of online resource and second
written by someone who has done a couple hours of reading on the subject and
not thorough research as it should be.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>The second issue I see is the references
being used are all dating back to year 2000, six years within the information security
field is like centuries in other fields. Things have changed a whole lot since
the year 2000 bug.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>Myself I would visit the CC website and
find from the authoritative source on the subject what a real CC evaluation is
all about. Protection profiles are not written on the fly to satisfy vendors
as claimed in this paper. Obviously it was written by someone who was pro TCSEC.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>Thanks for the link to the document<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>Clement<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> Nguyen Pham
[mailto:nguyen.petronius@gmail.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Saturday, August 26, 2006
8:09 AM<br>
<b><span style='font-weight:bold'>To:</span></b> Clement Dupuis<br>
<b><span style='font-weight:bold'>Cc:</span></b> pen-test@securityfocus.com;
full-disclosure@lists.grok.org.uk<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [Full-disclosure] CC
evaluation</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>Sorry for this missing.<br>
<br>
This text found on this report "Evaluation of the Security of Components
in Distributed Information Systems", p20 (<a
href="http://www2.foi.se/rapp/foir1042.pdf">http://www2.foi.se/rapp/foir1042.pdf
</a>)<br>
<br>
Best,<br>
Nguyen Pham.<o:p></o:p></span></font></p>
<div>
<p class=MsoNormal><span class=gmailquote><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>On 8/26/06, <b><span style='font-weight:bold'>Clement
Dupuis</span></b> <<a href="mailto:cdupuis@cccure.org">cdupuis@cccure.org</a>>
wrote:</span></font></span><o:p></o:p></p>
<div>
<div link=blue vlink=purple>
<div>
<p><font size=3 color=black face="Times New Roman"><span style='font-size:12.0pt;
color:black'>Obviously this is a paragraph extracted out of context from some
documents.</span></font><o:p></o:p></p>
<p><font size=3 color=black face="Times New Roman"><span style='font-size:12.0pt;
color:black'> </span></font><o:p></o:p></p>
<p><font size=3 color=black face="Times New Roman"><span style='font-size:12.0pt;
color:black'>By itself it is totally wrong but it might make sense if we have
access to the whole document.</span></font><o:p></o:p></p>
<p><font size=3 color=black face="Times New Roman"><span style='font-size:12.0pt;
color:black'> </span></font><o:p></o:p></p>
<p><font size=3 color=black face="Times New Roman"><span style='font-size:12.0pt;
color:black'>Depending on the EAL level being sought you might not even look at
the design process or development process at all. Only the higher level
would require this.</span></font><o:p></o:p></p>
<p><font size=3 color=black face="Times New Roman"><span style='font-size:12.0pt;
color:black'> </span></font><o:p></o:p></p>
<p><font size=3 color=black face="Times New Roman"><span style='font-size:12.0pt;
color:black'>Can you tell us where the paragraph was extracted from?</span></font><o:p></o:p></p>
<p><font size=3 color=black face="Times New Roman"><span style='font-size:12.0pt;
color:black'> </span></font><o:p></o:p></p>
<p><font size=3 color=black face="Times New Roman"><span style='font-size:12.0pt;
color:black'>Take care</span></font><o:p></o:p></p>
<p><font size=3 color=black face="Times New Roman"><span style='font-size:12.0pt;
color:black'> </span></font><o:p></o:p></p>
<p><font size=3 color=black face="Times New Roman"><span style='font-size:12.0pt;
color:black'>Clement</span></font><o:p></o:p></p>
<p><font size=3 color=black face="Times New Roman"><span style='font-size:12.0pt;
color:black'> </span></font><o:p></o:p></p>
<p><font size=3 color=black face="Times New Roman"><span style='font-size:12.0pt;
color:black'> </span></font><o:p></o:p></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center>
</span></font></div>
<p><b><font size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma;
font-weight:bold'>From:</span></font></b><font size=2 face=Tahoma><span
style='font-size:10.0pt;font-family:Tahoma'> Nguyen Pham [mailto:<a
href="mailto:nguyen.petronius@gmail.com" target="_blank">nguyen.petronius@gmail.com</a>]
<br>
<b><span style='font-weight:bold'>Sent:</span></b> Saturday, August 26, 2006
6:32 AM<br>
<b><span style='font-weight:bold'>To:</span></b> <a
href="mailto:pen-test@securityfocus.com" target="_blank">pen-test@securityfocus.com</a>;
<a href="mailto:full-disclosure@lists.grok.org.uk" target="_blank">full-disclosure@lists.grok.org.uk</a><br>
<b><span style='font-weight:bold'>Subject:</span></b> [Full-disclosure] <span
name=st id=st><span class=st>CC</span></span> <span name=st id=st><span
class=st>evaluation</span></span></span></font><o:p></o:p></p>
</div>
</div>
<div><span id="q_10d4a507bcc8e8f4_1">
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'> <o:p></o:p></span></font></p>
<p><font size=3 face="Times New Roman"><span style='font-size:12.0pt'>Hi all,<br>
<br>
Could you please give your comments on the following point:<br>
<br>
"CC is an evaluation of design methods, not an evaluation of security
functionality. It is the system development process that is being evaluated,
not the system itself. This means that the given EAL only states whether a
larger enough pile of paperwork over the design process exists or not. The
correctness and importance of those papers doase not even have to be verified
and examined". <br>
<br>
Thanks for your helps,<br>
Nguyen Pham.<o:p></o:p></span></font></p>
</div>
</div>
</div>
</div>
</span>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>