No; the developers decide what level they think they can achieve. BTDTGTTSWIOTIA. -----Original Message----- From: barrett [mailto:barrett.mcguire@xxxxxxxxxxxx] Sent: Friday, October 07, 2005 5:46 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: ISA 2004 PPTP VPN--Multiple Client Connections http://www.ISAserver.org The specific IT product being evaluated is referred to as the Target of Evaluation (TOE). The security requirements for that product are described in its security target. The DEVELOPERS write the security target. The DEVELOPERS write the scenerios. So, do you think they are going to pass evaluation? Can't think of one product that was put forward for validation, that was then dnied during the testing phase. Read it once?--Do it every day and still get a kick out of it :)--helps me get to sleep at night. Gov. entities are required by NSTISSP #11 and DoDI 8500.2 to purchase Common Criteria validated roducts, but that does not mean they are secure. Almost like saying Common Criteria = Good Security as MCSE = Good sysAdmin. Do we really believe that. Agree w/ Tom -- Certs are only face value. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.