On Sat, May 10, 2008 at 10:10:21AM +0200, Lennart Regebro wrote:
On Thu, May 8, 2008 at 11:55 AM, Christian Theune <ct@gocept.com> wrote:
Hi everyone,
I have to give an unfortunate update about the Common Criteria (CC) certification.
The CC project began in 2003 to certify Zope 3's security architecture under the conditions of the Common Criteria framework.
We started out as a community effort which turned out not to be a viable solution due to the lack of interest of volunteers and the complexity of the problem space.
gocept restarted the efforts in 2006 and provided a security target document which was given to review and moving pretty good actually. There were very concrete and viable plans for 2008 to finally get the certification wrapped up by end of may.
Unfortunately the project had to be cancelled due to the lack of interest of the sponsoring organisation which went through a major merger. Due to that we're stopping all activities on the certification. If interest in this should come back at some point, we'd be happy to be part of a renewed effort.
Too bad. I think those kinds of certifications aren't of much real use, but it positions you as a serious enterprise player, so it looks good.
I found it very useful to think about security in a structured way. The CC functional catalog isn't that bad. I think the overall approach of CC is actually pretty good. However, certifying a framework isn't directly thought of in CC so we had our problems with terminology clashes etc as CC wants to certify a specific application instead. Christian -- gocept gmbh & co. kg - forsterstrasse 29 - 06112 halle (saale) - germany www.gocept.com - ct@gocept.com - phone +49 345 122 9889 7 - fax +49 345 122 9889 1 - zope and plone consulting and development