The Vatican Signs the ISO/IEC 15408 International Recognition

Recognizing the need for secure IT products inall regions of the world, and in support of an internationallyagreed Arrangement allowing for the mutual recognition ofindependently evaluated and validated information technology (IT)products, the Vatican has decided to sign the ISO/IEC 15408International Recognition Arrangement (I2RA) and hasstarted to validate the security evaluations of IT products.

Vatican City

The I2RA was established in 1996 and wasused as the basis for mutually accepting certificates for theassurance of IT products. At that time it was in competition withanother arrangement called the Common Criteria RecognitionArrangement (CCRA), which some nations viewed as the moreattractive option.

The I2RA signatories therefore started a process toweaken the CCRA thus strengthening the importance and influence ofthe I2RA. Finally this process was successful.

The Vatican has announced that it has joined the existingsignatories to the I2RA as the first CertificateAuthorizing member. This provides much needed value to the existingcertificate-consuming members1 of the arrangement.

atsec's Vice President, Fiona Pattinson stated:

"Convincing the Vatican to join this hitherto little knownArrangement has been a long term goal of atsec. Drawing from ourlong experience in helping nation-states to establish validationschemes under the now obsolete CCRA it seemed natural to help theVatican to establish an evaluation and validation Scheme within theI2RA in order to continue to support those developersthat wish to demonstrate to assurance-consumers that their productsoffer a modicum of assurance in their security functionality."

The Vatican has set up its own evaluation facility that analyzes ITproducts for compliance with ISO/IEC 15408 in context with divinesecurity principals and a newly established policy that eliminatessecurity flaws using a new vulnerability assessment and mitigationtechnology named 'exorcism'. Details of this technology have notbeen published but the Vatican has stated that this technology hasbeen very successful in the past for projects performed in otherareas.

Objections came from several Intelligence Agencies who stated thatinternational mutual recognition of evaluations not performed undertheir control, and resulting in the eradication of a large numberof vulnerabilities, may have a negative influence on their abilityto perform the work they are supposed to do. They also objected tothe use of 'supernatural' assessment methods claiming to provide ahigh level of assurance.

Some Voodoo priests in the Caribbean have announced that they arealso considering setting up a security evaluation and validationscheme and will potentially convince their countries to join theI2RA.

1 including Atlantis, Caledonia,Tantooine, Dagobah, Rivendell, Gondor, Equestria, Estovakia, GrandFenwick, Krakozhia, Loompa Land, Moldavia and Molvanîa, Oceania,Qumar, Rohan, Shangri-La, Republic of Tirania, and the UnitedFederation.