Network Computingwww.networkcomputing.com

IPSec Certification
On May 20, 1998, the ICSA (International Computer Security Association) stated that it was performing IPSec compliance certification. The ICSA, well known and respected for its thorough firewall and cryptography compliance testing, is a natural to do the same for IPSec. However, there is a caveat: IPSec and IKE are not yet finalized. This has caused a stir in the IPSec community, with some vendors backing the ICSA certification and some taking issue with ICSA for other reasons.

The crux of contention is that IPSec and IKE are still under revision. If the current protocol drafts change, who¹s to say that any device is IPSec-compliant? Later revisions of the protocol drafts may break ICSA-certified products written to current revisions. This is a good point‹but one that has been addressed by the ³ICSA Program For IPSec Product Certification Version 1.0.² This document defines the current goals for Version 1.0 certification and lays the groundwork for upcoming changes to the protocol suite. Under the section ³The Certification Year² and the subsequent section, it clearly states that products will be spot-checked during the year at no additional cost; products that fail certification will be retested at no additional cost; and that products that go through a revision will be retested at no additional cost.

What does ICSA IPSec Certification get you? For $25,000 per product per year, customers and vendors get some assurance, by a third party, that the products listed will interoperate with other certified products. And that the certified products also pass ICSA Cryptography Product Certification Criteria [Crypt 1.0] in addition to IPSec certification.