[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: legal question about certs

> Novell's position on this issue is one in favor of Truth in
> Advertising --
> certificates (and digital signatures) should contain a statement that
> specifies what level of computer security rating the platform has, and
> what
> cryptographic implementation rating, plus an assertion of what kind of
> credential verification was performed.

What do you see as the form?

take https://www.microsoft.com/ntserver/info/seceval.htm for example.

Who does one believe, as a consumer? (and the above page is data
origin authenticated to Microsoft, so they are nto bluffing or merely
puffing their product, at least)

Are you suggesting the CA, will decide whether to accredit the
certification of the product/system rating team, and bear liability
for the judement and any remainming vulnerabilties, or residual
risks due to the evaluation level, or the method of investigation, or
the competency of the evaluting lab?