Common Criteria is the nickname
for ISO 15403, Information Technology - Security Techniques -
Evaluation Criteria for IT Security. Common Criteria provides a mechanism for the mutual
recognition of product evaluations in order to achieve improved world-wide availability of
Information Technology security-capable products. One of the most useful parts of the CC
methodology is the ability (and requirement) to precisely define the environment and operational requirements
for a piece of IT security equipment as part of the specification of what the product is expected to do.
The following activities represent some of the Common Criteria related output of RMTCI.
- Technical Editor for preparation and certification of the Smart Card Security Users
Group Smart Card Protection Profile. This effort involved a consortium of the major
payment associations (Visa, MasterCard, American Express, and JCB) as well as multiple
government representatives (US, Canada, Great Britain, France, Germany, and Japan).
The Protection Profile
(written according to the requirements of the Common Criteria ISO 15408) was certified in the US,
in September, 2001.
- Author of EMV Integrated Circuit Card Credit and Debit Application Protection
Profile draft (submitted to EMVCo for review in 2001).
- Adjunct Technical Consultant for Authenti-Corp. Contributed to:
- Government Smart Card Interoperability Specification - Smart
Card Application Protection Profile, DRAFT 2003.
- Biometric Verification Mode Protection Profile DRAFT 2003.
- Author of Monograph for Smart Card Industry Association (SCIA is now part of the
Smart Card Alliance).
- Common Criteria and Smart Card Security Evaluations, May 2000.
- Provided training in Common Criteria to various industrial groups.
- Provided technical writing services for various customers to generate papers
on Common Criteria Protection Profiles, Common Criteria threats and vulnerabilities, definition of
Targets of Evaluation (TOE), and general CC support.
- Successfully completed NIAP course on Designing a Protection Profile, January, 1999.
- Professional Contributions:
- "SCSUG-SCPP Lessons Learned", Proceedings, 3rd International Common Criteria
Conference, presented at the Conference, Ottawa Canada, May 13-14, 2002.
- "Common Criteria and the Smart Card Security Users Group Smart Card
Protection Profile", presented at the SMPTE Study Group DC28.4, Los Angeles, CA, May 22, 2001.
- "Developing Protection Profiles - Getting Started", Proceedings, 16th
Annual Computer Security Applications Conference, presented at the
Conference, New Orleans, LA, December 11-15, 2000.
- "The Smart Card Security Users Group Smart Card Protection Profile", Proceedings,
23rd National Information Systems Security Conference, presented at the Conference,
Baltimore, Maryland, October 16-19, 2000.
- "Smart Card Protection Profile", Proceedings, 1st International Common Criteria
Conference, presented at the Conference, Baltimore, Maryland, May 23-25, 2000.
- Introduction to the SCSUG Protection Profile at CarteS '99 Workshop, November, 1999.
- Panelist on Protection Profiles at 22nd National
Information Systems Security Conference, October, 1999.
- Participant in NIST Workshop on Databases of Threats and
Countermeasures, March 1999.