Re: Common Criteria Certification
- From: JimK <JimK@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 10 Aug 2007 18:32:01 -0700
"Steve Riley [MSFT]" wrote:
Heya. Just wanted to close this out. You have been hearing some rumors or.
poorly-stated information. While it's true that we're exploring a new
evaluation method with NSA, we have no plans now to abandon Common Criteria,
and Steve Lipner has never made such a claim. If in fact this new program
does supersede Common Criteria, that'll be years down the road.
We kicked off our Common Criteria evaluation of Windows Vista and Windows
Server 2008 on 31 July 2007. It's expected to complete in December 2010. You
can see it listed at http://www.niap-ccevs.org/cc-scheme/in_evaluation.cfm.
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
"Kim_Jong" <KimJong@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EEF5C93C-9C56-4C10-A4FC-3450A0B1707C@xxxxxxxxxxxxxxxx
Hello Steve,
From what we're learning, these aren't rumors. My bosses made some headway
today. As I'm sure you know, Steve Lipner is on a different course. It's
common knowledge in the government sector that he's vented his concerns
about
CC certification both here and abroad. We've heard him express his doubts
over the years. It's just that now it looks like the decision is more
firm,
and he's in favor of piloting some other certification the NSA is
sponsoring
(or they themselves piloting). This corroborated the information we
received
through that internal channel I mentioned earlier.
This is obviously a sensitive topic, so I'm going to sign off and leave
the
rest to the higher-ups.
Thank you again for your assistance.
--
Kim Jong, MCSE
"Steve Riley [MSFT]" wrote:
I would love to know where you get your rumors from, because those people
must be smoking some really great stuff! They probably wouldn't share,
though...
We don't set completion targets because it's largely out of our control
when
the evaluation will finish. I do know that completed certification, in a
reasonable time, is our goal. Most certifications take two to three years
after evaluation begins. But for most customers, "in evaluation" is
sufficient for deployment--time lengths for evaluations haven't been
blockers in our experience.
If I get any more details, I'll follow up here.
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
"Kim_Jong" <KimJong@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:908E3AFC-92A8-4C71-8962-82D8DD5A72FA@xxxxxxxxxxxxxxxx
Thank you for that reassurance. :)
Do you have an anticipated completion date? I imagine others are asking
this
question of Microsoft too.
I ask this because the other thing I recall from the conversation that
a
couple of us were privy to was that the Vista evaluation is going to
consist
of producing a minimal number of security specifications each month (we
heard
one spec a month) toward certification, pushing the actual CC
completion
date
out to the year 2050 or thereabouts. This is what led us to believe
that
Microsoft is not pursuing CC certification, despite the appearance of
being
"in evaluation" with a CCTL. We are also checking with the NSA and the
CCTL
in Maryland to see if we can get more information.
Many thanks again.
--
Kim Jong, MCSE
"Steve Riley [MSFT]" wrote:
To double-check my own understanding, I verified with the program
manager
responsible for our participation in certification programs. Common
Criteria
evaluation will begin soon.
And speaking of stymied, I'm at a loss to make the link between my
knowing
your email and the spouse of an MSRC employee! Just so that everyone
here
knows: you are all welcome to email me privately. If I have to forward
your
mail to someone else to get an answer, I cut out all identifying
information
first. Only I will know your email/phone/blood type/credit
history/temperature of your ass in your chair. :)
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
"Kim_Jong" <KimJong@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C1ED7D9F-5370-46C9-B25E-68D770698350@xxxxxxxxxxxxxxxx
Steve, this came from someone who is married to a Microsoft person
in
the
MSRC. (Now you understand why I prefer not to contact you
privately.)
We
were
told that Microsoft has chosen to pursue a different certification
but
that
it is not the Common Criteria. We know of no other certifications,
and
we
are
close to the NSA here. We can't seem to get any more information
than
that.
The account team is stymied. Thank you, we will watch for the
posting
on
CCEVS.
--
Kim Jong, MCSE
"Steve Riley [MSFT]" wrote:
I wanted to try to find out from you where you heard this
information,
because it's wrong. We are indeed pursuing Common Criteria (ISO/IEC
15408)
certification for both Windows Vista and Windows Server 2008. In
fact,
we
expect both to be listed at
http://www.niap-ccevs.org/cc-scheme/in_evaluation.cfm in a few
weeks.
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
"Kim_Jong" <KimJong@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A8308CF3-A2CF-4398-936E-F0AD277391B1@xxxxxxxxxxxxxxxx
Thank you Steve, can you please post your response here? I wish
to
keep
my
email address private, thank you.
--
Kim Jong, MCSE
"Steve Riley [MSFT]" wrote:
Please reply to me privately. I can help you with this.
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
"Kim_Jong" <KimJong@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9102EE4D-ABB9-406C-B442-385EE099B3E2@xxxxxxxxxxxxxxxx
We have learnt here in D.C. that Microsoft will not be
attaining
Common
Criteria certification of Vista and W2K8. This concerns us
greatly,
as
most
of our clients are Federal agencies that require Common
Criteria
evaluation.
We will not be able to deploy new OS to these agencies without
this
CC
certification. Many people will lose their jobs if government
can
no
longer
use Windows. What is Microsoft going to do about this
obstacle?
--
Kim Jong, MCSE
- References:
- Re: Common Criteria Certification
- From: Steve Riley [MSFT]
- Re: Common Criteria Certification
- Prev by Date: Re: MS04-028 - Trend PC Cillin Internet Security 2007 report vulnerabi
- Next by Date: Re: Common Criteria Certification
- Previous by thread: Re: Common Criteria Certification
- Next by thread: Re: Common Criteria Certification
- Index(es):
Relevant Pages
|
