It was just announced that MS Windows XP SP2 and 2k3 server have been accredited with the Common Criteria evaluation level 4+.
For those of you who don ‘t know, the common criteria is an ISO standard that was created to provide a common way of evaluating and rating security. It combines the USs old Orange Book evaluation with the DoD ‘s redbook and the Canadian CTCPEC and the EUs ITSEC. It has 7 Evaluation Levels of Assurance (EALs) 1 being the lowest and 7 being the highest.
Now here is ware things start to get shaky. Windows has achieved 4+. Novell has had 4+ for Open Enterprise server for some time and it appears that Suse and RedHat are both going for evaluations and will likely achieve 4+.
The reason for this is that 4+ is the highest level of accreditation that a commercial product can hope to achieve. It is this fact that makes me believe the Common Criteria is doing a disservice to the security community.
I find it hard to believe that additional security can not be added to windows, that it can ‘t be more secure than it is now. But yet we have hit a wall with the CC. What motivation does Microsoft or others have to improve on their security if they are already accredited at the highest possible level?