Comment Re:And what exactly was the test? (Score 0) 533
As mentioned, Windows 2000 was evaluated to Evaluation Assurance Level 4 (EAL4). According to the Common Criteria, EAL4 means that the product is "methodically designed, tested, and reviewed".And what exactly was the test?
So, what does it all mean? The evaluation would have consisted of a low-level analysis of the modules of the Target of Evaluation (TOE) and some subset of the implemenattion. (I believe the subset used is specified on Microsoft's site). This anaylsis is a complete head-to-tail search for any obvious vulnerabilities. Additionally, the life cycyle model of the product, development tools used, and configuration management are also analyzed.
Additionally, in case any one is wondering, the CC allows for 7 levels of assurance, of which Windows 2000 was evaluated to EAL4. "Why weren't they evaluated higher?", you may ask. As it is my understanding, even though the CC is an international standard, there is currently no agreement on how to perform an evaluation for a product to be EAL5 or higher and be internationally recognized. EAL5 can be done, but if you're product is evaluated to EAL5 in the U.S., don't expect the product to be considered any higher than EAL4 in the U.K. (This is slowly changing, however - Canada and the U.S. are working on a bilateral agreement to mutually recognize EAL5, for example).
