1Copyright © 2013 The Printer Working Group. All rights reserved. MFP Technical Community Vendor...

1Copyright copy 2013 The Printer Working Group All rights reserved

MFP Technical Community Vendor F2F

1

bull Agendabull Notes from ICCCbull Recap of the F2F meeting in Orlandobull Discussion of currently open issues and proposed resolutions https

ccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468sortBy=commentsampsortOrder=descendingamptext=[issue]

bull Updates from NIAP and IPA (if any)bull Plans and schedulesbull Open discussion

Copyright copy 2013 The Printer Working Group All rights reserved

Notes from ICCC (1)

bull The theme was ldquoCollaborationrdquo

bull Major news itemsbull CNSSP 11 published (before ICCC)bull India elevated to ldquocertificate authorizing schemerdquobull All CCRA members ldquoagree in principlerdquo to new CC Recognition

Arrangement

2


Notes from ICCC (2)

bull The CC Users Forum had a very strong presence before and during ICCCbull Next CCUF-CCDB workshop ~ Istanbul ~ March 17 2014

bull Next ICCC was not announced at this ICCCbull It will be somewhere in India late September as usualbull My guess is that ICCC 2015 will be in Australia

3


Notes from ICCC (3)

bull Some interesting presentations

bull Dag Stroumlman (CCMC chair and head of the SE scheme) reported on the ldquonew CCrdquo pilot project creating a USB PP It has been going on for a long time and no TC created yet

bull T-Systems presented ldquoHow to Create a Slim and Comprehensive PPrdquo a process that looked similar to how we did the IEEE 2600-series PPs (except that it clusters SFRs around TOE security functions)

4


Notes from ICCC (4)

bull More interesting presentations

bull IPA presented ldquoVulnerability-Centric Assurance Activities for MFP PP as a candidate cPPrdquo which foretells how IPA might write assurance activities in the new MFP PP

bull IPA also published a major update to their MFP Vulnerabilities research paper this time in English too

bull In Japanese httpswwwipagojpsecurityjisecapdxdocuments20130312reportpdf

bull In English httpwwwipagojpsecurityjisecapdxdocuments20130312report_Epdf

5


Notes from ICCC (5)

bull Yet more interesting presentations

bull ldquoExact Conformancerdquo was explained by Jim Arnold (but it may or may not match NIAPrsquos official but undocumented definition)

bull ldquoItrsquos Just a Printer ndash Lessons Learned over 10 Years of CC Evaluations by Xerox and CSCrdquo brilliantly presented by Alan Sukert and Lachlan Turner about how they reduced evaluation cost by 40

bull Presentations are published on the web site httpwwwfbcinccomeicccagendaaspxbull Photos and videos will be posted sometime

6


Notes from ICCC (6)

bull CNSSP 11 was published before ICCCbull I set up a QampA session with NIAP at the CCUF-CCDB

workshop on the Friday before ICCCbull Janine Pedersen answered questions that were submitted in

advance and additional questions from the audiencebull NIAP asked me to not publish a transcript because they want

to make an official fact sheetbull They are working on a fact sheetbull Itrsquos pretty good

7


Recap of Orlando F2F

bull A full day meetingbull 17 in-person attendees 4 people by telecon

bull 7 different vendors from 4 countriesbull 3 different labs 3 different CC schemes 3 different

consultancies and 2 others

bull Not much administrative progressbull IPA and NIAP people were busy with CCRA meetings

bull We addressed 34 technical commentsbull Proposed resolutions for 25 issuesbull Identified steps for further study on the other 9 issues

bull Made vague plans for periodic telecons F2F meetings

8


Lots of comments were resolved

bull Some were implemented in draft 063bull Some were rejectedbull For details refer to the 2013-09-09 MFP TC F2F

summary posted on Teamlab httpsccusersforumteamlabcomproductsfilesdoceditoraspxaction=viewampfileid=3223222

9


Currently open issues (1)

bull User authorization is defined too narrowlybull ldquoSuggest that 311 is too narrow Need to also include ldquoaccess

to datardquo Note that Para 91 says exactly that but only about faxesrdquo

bull Proposal remove the second half of ldquoNote that the TOE can receive a PSTN fax without any User authorization but the received Document is subject to access controlsrdquo

10



bull Discussion on IampAampA failure including external authenticationbull ldquoThere was interesting discussion about external IampAampA and

what happens when it fails Same thing for external audit storage (should there be something like FIA_AFL and FAU_STG4 for those cases)rdquo

bull TC F2F action item look at Enterprise Security Management for how they handle this Maybe it is just put in the audit log

bull None of the NDPP or ESM PPs address this (see httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260161 for details)

bull Proposal dont worry about specifying how to handle failure of either external authentication services or external audit storage services

11



bull Addition to the table 1 ie auditable events (4)bull ldquoFor ldquoModification to the grouphelliprdquo what additional info should

be collectedrdquobull TC F2F action item Look at Enterprise Security Management

to see what they dobull NDPP and ESM either donrsquot even audit the event or (in one

case) doesnrsquot collect additional information Details httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260163comments

bull Proposal dont collect any additional information in the MFP PP

12



bull Term ldquonon-fax datardquo for information flow control SFRbull ldquoIn FDP_IFF1 the term ldquonon-fax datardquo was confusing to all

Need a new term or make an ECD (para173 and elsewhere)rdquobull TC F2F action item One proposal is to use DUSERDOC and

DUSERJOB as the attributes

bull In FDP_IFF15 say ldquoanything other than that is deniedrdquo

bull In FDP_IFF12 FDP_IFF13 FDP_IFF14 express the rules for allowing it (left up to the ST author)

bull The other proposal is to create an Extended Component

bull The TC needs to discuss decide

13



bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and

ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo

bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear

bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo

14



bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for

potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo

bull TC F2F recommendation

bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)

bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements

bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check

15



bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo

16


Updates from NIAP and IPA

bull Nothing

17


Plans and Schedules

bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014

18


Open Discussion

19



Notes from ICCC (1)

bull The theme was ldquoCollaborationrdquo

bull Major news itemsbull CNSSP 11 published (before ICCC)bull India elevated to ldquocertificate authorizing schemerdquobull All CCRA members ldquoagree in principlerdquo to new CC Recognition

Arrangement

2


Notes from ICCC (2)



3


Notes from ICCC (3)




4


Notes from ICCC (4)






5


Notes from ICCC (5)





6


Notes from ICCC (6)





7









8





9






10








11








12










13







14









15




16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19



Notes from ICCC (2)



3


Notes from ICCC (3)




4


Notes from ICCC (4)






5


Notes from ICCC (5)





6


Notes from ICCC (6)





7









8





9






10








11








12










13







14









15




16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19



Notes from ICCC (3)




4


Notes from ICCC (4)






5


Notes from ICCC (5)





6


Notes from ICCC (6)





7









8





9






10








11








12










13







14









15




16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19



Notes from ICCC (4)






5


Notes from ICCC (5)





6


Notes from ICCC (6)





7









8





9






10








11








12










13







14









15




16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19



Notes from ICCC (5)





6


Notes from ICCC (6)





7









8





9






10








11








12










13







14









15




16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19



Notes from ICCC (6)





7









8





9






10








11








12










13







14









15




16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19










8





9






10








11








12










13







14









15




16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19






9






10








11








12










13







14









15




16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19







10








11








12










13







14









15




16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19









11








12










13







14









15




16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19









12










13







14









15




16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19











13







14









15




16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19








14









15




16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19










15




16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19





16



bull Nothing

17


Plans and Schedules


18


Open Discussion

19




bull Nothing

17


Plans and Schedules


18


Open Discussion

19



Plans and Schedules


18


Open Discussion

19



Open Discussion

19


1Copyright © 2013 The Printer Working Group. All rights reserved. MFP Technical Community Vendor...

Documents

Transcript of 1Copyright © 2013 The Printer Working Group. All rights reserved. MFP Technical Community Vendor...