[rdtsc]

We had some experience with it but indirectly. EALx is a bureaucratic joke, but I see FIPS 140-2 more emphasized.

The higher the level of the customer (the more authority they have) the more flexible they are. Some lower level labs don't really have much of a choice but accept a standard boiler plate set of certification stamps.

[tptacek]

FIPS 140-2 is very narrowly constrained and the parts that aren't crypto-related are the same kind of boilerplate make-work that EAL2/EAL3 is. But also bear in mind that you can pull a list of EAL4+ products right now, and quickly see how many of them have had ridiculous vulnerabilities.