Reply From: Vin McLellan <vin@shore.net>
>[Moderator: A while back, someone posted a great list of questions that
> focused on what it took to get (then) NCSA certified. And I can't help
> but wonder those same questions now. Do you need to be a paying member of
> the ICSA to get certified? Can non-members achieve the same
> certification? And lastly, what makes the ICSA such experts that they can
> certify these companies?]
ICSA is, of course, a for-profit firm which gathers a group of
vendors into a technology-defined "consortium," then negotiates a series of
lowest-common-denominator standards among them -- against which all
applicants (each of which is a member of the consortium) for
"certification." It is a commercial business model which has given rise to
a good deal of cynicism on the Net's infosec forums, where it has been
repeatedly suggested that ICSA's firewall certification means about what it
costs -- something like $40K.
I think the cynicism is a little overdone in this case. The money
is a real issue. Beyond that, it is also true that the vendors define a
standard they can make -- not necessarily the best one, or the one which
will best or most effectively protect the corporate or government user.
On the other hand, the ICSA standards set by the other consorita
have historically gotten higher and higher as the technology (and the
certification process) evolves, raising the minimal technical standard. In
biometrics, there is probably more to it than that. Biometrics is unusual
in that a large group of government agencies -- led by the NSA, but with
other serious potential buyers in the game -- took the initiative a decade
ago to develop minimal standards and a benchmark system. (It probably says
something that this user group grabbed the name "Biometric Consortium"
early -- rather than let a vendors'group claim it. See:
http://www.biometrics.org/)
So, in this unusual situation, the ICSA had to deal with two
technically savvy consortia when they shaped the standards for biometric
evaluation: the vendors and the most likely big buyers. US federal and
state agencies, and overseas governments, are serious players in
biometrics. Today, they are the largest current market for biometric
authentication technologies: for population control (passports,
immigration, border control) and anti-fraud system (particularly in
government relief payments, where strong authentication could save
billions.) The corporate market, let along the consumer markets, are still
aborning -- so the government guys, real buyers, (typically much more
sophisticated than the corporate buyers at the moment) demanded real
standards for biometric authentication.
In short, this ICSA biometric certification is probably held ot a
higher standard than is typically the case with a wholly vendor-dominated
ICSA certification group. It remains to be seen, however, how well ICSA
(or the Biometric Consortium, for that matter) has or will address the
multitude of unsettled privacy, security-design, and public policy issues
that surround specific and/or widespread implementations of biometrics for
either identification or authentication.
My two cents.
_Vin
-----
Vin McLellan + The Privacy Guild + <vin@shore.net>
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
-- <@><@> --
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Dimensional Communications (www.dim.com)
Received on Tue Apr 28 14:06:59 1998