SecCerts: Mining issued Common Criteria and FIPS140-2 certificates
The security certification reports might be long but is also a trove of publicly available data about otherwise proprietary devices and other products otherwise available only under NDA. While downloading and reading a single certificate is easy, reasoning about the characteristics of the whole ecosystem now with more than ten thousand certified devices based on human-written documents is different.
Are there observable systematic differences between the Common Criteria and FIPS140-2 certificates? Can I quickly found if my device is using a certified component recently found vulnerable? And most importantly, can we measure and quantify if the whole process is actually increasing the security of the products being certificated?