1Copyright © 2013 The Printer Working Group. All rights reserved. MFP Technical Community Vendor...
-
Upload
patrick-wright -
Category
Documents
-
view
213 -
download
1
Transcript of 1Copyright © 2013 The Printer Working Group. All rights reserved. MFP Technical Community Vendor...
1Copyright copy 2013 The Printer Working Group All rights reserved
MFP Technical Community Vendor F2F
1
bull Agendabull Notes from ICCCbull Recap of the F2F meeting in Orlandobull Discussion of currently open issues and proposed resolutions https
ccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468sortBy=commentsampsortOrder=descendingamptext=[issue]
bull Updates from NIAP and IPA (if any)bull Plans and schedulesbull Open discussion
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (1)
bull The theme was ldquoCollaborationrdquo
bull Major news itemsbull CNSSP 11 published (before ICCC)bull India elevated to ldquocertificate authorizing schemerdquobull All CCRA members ldquoagree in principlerdquo to new CC Recognition
Arrangement
2
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (2)
bull The CC Users Forum had a very strong presence before and during ICCCbull Next CCUF-CCDB workshop ~ Istanbul ~ March 17 2014
bull Next ICCC was not announced at this ICCCbull It will be somewhere in India late September as usualbull My guess is that ICCC 2015 will be in Australia
3
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (3)
bull Some interesting presentations
bull Dag Stroumlman (CCMC chair and head of the SE scheme) reported on the ldquonew CCrdquo pilot project creating a USB PP It has been going on for a long time and no TC created yet
bull T-Systems presented ldquoHow to Create a Slim and Comprehensive PPrdquo a process that looked similar to how we did the IEEE 2600-series PPs (except that it clusters SFRs around TOE security functions)
4
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (4)
bull More interesting presentations
bull IPA presented ldquoVulnerability-Centric Assurance Activities for MFP PP as a candidate cPPrdquo which foretells how IPA might write assurance activities in the new MFP PP
bull IPA also published a major update to their MFP Vulnerabilities research paper this time in English too
bull In Japanese httpswwwipagojpsecurityjisecapdxdocuments20130312reportpdf
bull In English httpwwwipagojpsecurityjisecapdxdocuments20130312report_Epdf
5
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (5)
bull Yet more interesting presentations
bull ldquoExact Conformancerdquo was explained by Jim Arnold (but it may or may not match NIAPrsquos official but undocumented definition)
bull ldquoItrsquos Just a Printer ndash Lessons Learned over 10 Years of CC Evaluations by Xerox and CSCrdquo brilliantly presented by Alan Sukert and Lachlan Turner about how they reduced evaluation cost by 40
bull Presentations are published on the web site httpwwwfbcinccomeicccagendaaspxbull Photos and videos will be posted sometime
6
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (6)
bull CNSSP 11 was published before ICCCbull I set up a QampA session with NIAP at the CCUF-CCDB
workshop on the Friday before ICCCbull Janine Pedersen answered questions that were submitted in
advance and additional questions from the audiencebull NIAP asked me to not publish a transcript because they want
to make an official fact sheetbull They are working on a fact sheetbull Itrsquos pretty good
7
Copyright copy 2013 The Printer Working Group All rights reserved
Recap of Orlando F2F
bull A full day meetingbull 17 in-person attendees 4 people by telecon
bull 7 different vendors from 4 countriesbull 3 different labs 3 different CC schemes 3 different
consultancies and 2 others
bull Not much administrative progressbull IPA and NIAP people were busy with CCRA meetings
bull We addressed 34 technical commentsbull Proposed resolutions for 25 issuesbull Identified steps for further study on the other 9 issues
bull Made vague plans for periodic telecons F2F meetings
8
Copyright copy 2013 The Printer Working Group All rights reserved
Lots of comments were resolved
bull Some were implemented in draft 063bull Some were rejectedbull For details refer to the 2013-09-09 MFP TC F2F
summary posted on Teamlab httpsccusersforumteamlabcomproductsfilesdoceditoraspxaction=viewampfileid=3223222
9
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (1)
bull User authorization is defined too narrowlybull ldquoSuggest that 311 is too narrow Need to also include ldquoaccess
to datardquo Note that Para 91 says exactly that but only about faxesrdquo
bull Proposal remove the second half of ldquoNote that the TOE can receive a PSTN fax without any User authorization but the received Document is subject to access controlsrdquo
10
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (2)
bull Discussion on IampAampA failure including external authenticationbull ldquoThere was interesting discussion about external IampAampA and
what happens when it fails Same thing for external audit storage (should there be something like FIA_AFL and FAU_STG4 for those cases)rdquo
bull TC F2F action item look at Enterprise Security Management for how they handle this Maybe it is just put in the audit log
bull None of the NDPP or ESM PPs address this (see httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260161 for details)
bull Proposal dont worry about specifying how to handle failure of either external authentication services or external audit storage services
11
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (3)
bull Addition to the table 1 ie auditable events (4)bull ldquoFor ldquoModification to the grouphelliprdquo what additional info should
be collectedrdquobull TC F2F action item Look at Enterprise Security Management
to see what they dobull NDPP and ESM either donrsquot even audit the event or (in one
case) doesnrsquot collect additional information Details httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260163comments
bull Proposal dont collect any additional information in the MFP PP
12
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (4)
bull Term ldquonon-fax datardquo for information flow control SFRbull ldquoIn FDP_IFF1 the term ldquonon-fax datardquo was confusing to all
Need a new term or make an ECD (para173 and elsewhere)rdquobull TC F2F action item One proposal is to use DUSERDOC and
DUSERJOB as the attributes
bull In FDP_IFF15 say ldquoanything other than that is deniedrdquo
bull In FDP_IFF12 FDP_IFF13 FDP_IFF14 express the rules for allowing it (left up to the ST author)
bull The other proposal is to create an Extended Component
bull The TC needs to discuss decide
13
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (5)
bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and
ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo
bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear
bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo
14
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (1)
bull The theme was ldquoCollaborationrdquo
bull Major news itemsbull CNSSP 11 published (before ICCC)bull India elevated to ldquocertificate authorizing schemerdquobull All CCRA members ldquoagree in principlerdquo to new CC Recognition
Arrangement
2
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (2)
bull The CC Users Forum had a very strong presence before and during ICCCbull Next CCUF-CCDB workshop ~ Istanbul ~ March 17 2014
bull Next ICCC was not announced at this ICCCbull It will be somewhere in India late September as usualbull My guess is that ICCC 2015 will be in Australia
3
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (3)
bull Some interesting presentations
bull Dag Stroumlman (CCMC chair and head of the SE scheme) reported on the ldquonew CCrdquo pilot project creating a USB PP It has been going on for a long time and no TC created yet
bull T-Systems presented ldquoHow to Create a Slim and Comprehensive PPrdquo a process that looked similar to how we did the IEEE 2600-series PPs (except that it clusters SFRs around TOE security functions)
4
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (4)
bull More interesting presentations
bull IPA presented ldquoVulnerability-Centric Assurance Activities for MFP PP as a candidate cPPrdquo which foretells how IPA might write assurance activities in the new MFP PP
bull IPA also published a major update to their MFP Vulnerabilities research paper this time in English too
bull In Japanese httpswwwipagojpsecurityjisecapdxdocuments20130312reportpdf
bull In English httpwwwipagojpsecurityjisecapdxdocuments20130312report_Epdf
5
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (5)
bull Yet more interesting presentations
bull ldquoExact Conformancerdquo was explained by Jim Arnold (but it may or may not match NIAPrsquos official but undocumented definition)
bull ldquoItrsquos Just a Printer ndash Lessons Learned over 10 Years of CC Evaluations by Xerox and CSCrdquo brilliantly presented by Alan Sukert and Lachlan Turner about how they reduced evaluation cost by 40
bull Presentations are published on the web site httpwwwfbcinccomeicccagendaaspxbull Photos and videos will be posted sometime
6
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (6)
bull CNSSP 11 was published before ICCCbull I set up a QampA session with NIAP at the CCUF-CCDB
workshop on the Friday before ICCCbull Janine Pedersen answered questions that were submitted in
advance and additional questions from the audiencebull NIAP asked me to not publish a transcript because they want
to make an official fact sheetbull They are working on a fact sheetbull Itrsquos pretty good
7
Copyright copy 2013 The Printer Working Group All rights reserved
Recap of Orlando F2F
bull A full day meetingbull 17 in-person attendees 4 people by telecon
bull 7 different vendors from 4 countriesbull 3 different labs 3 different CC schemes 3 different
consultancies and 2 others
bull Not much administrative progressbull IPA and NIAP people were busy with CCRA meetings
bull We addressed 34 technical commentsbull Proposed resolutions for 25 issuesbull Identified steps for further study on the other 9 issues
bull Made vague plans for periodic telecons F2F meetings
8
Copyright copy 2013 The Printer Working Group All rights reserved
Lots of comments were resolved
bull Some were implemented in draft 063bull Some were rejectedbull For details refer to the 2013-09-09 MFP TC F2F
summary posted on Teamlab httpsccusersforumteamlabcomproductsfilesdoceditoraspxaction=viewampfileid=3223222
9
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (1)
bull User authorization is defined too narrowlybull ldquoSuggest that 311 is too narrow Need to also include ldquoaccess
to datardquo Note that Para 91 says exactly that but only about faxesrdquo
bull Proposal remove the second half of ldquoNote that the TOE can receive a PSTN fax without any User authorization but the received Document is subject to access controlsrdquo
10
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (2)
bull Discussion on IampAampA failure including external authenticationbull ldquoThere was interesting discussion about external IampAampA and
what happens when it fails Same thing for external audit storage (should there be something like FIA_AFL and FAU_STG4 for those cases)rdquo
bull TC F2F action item look at Enterprise Security Management for how they handle this Maybe it is just put in the audit log
bull None of the NDPP or ESM PPs address this (see httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260161 for details)
bull Proposal dont worry about specifying how to handle failure of either external authentication services or external audit storage services
11
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (3)
bull Addition to the table 1 ie auditable events (4)bull ldquoFor ldquoModification to the grouphelliprdquo what additional info should
be collectedrdquobull TC F2F action item Look at Enterprise Security Management
to see what they dobull NDPP and ESM either donrsquot even audit the event or (in one
case) doesnrsquot collect additional information Details httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260163comments
bull Proposal dont collect any additional information in the MFP PP
12
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (4)
bull Term ldquonon-fax datardquo for information flow control SFRbull ldquoIn FDP_IFF1 the term ldquonon-fax datardquo was confusing to all
Need a new term or make an ECD (para173 and elsewhere)rdquobull TC F2F action item One proposal is to use DUSERDOC and
DUSERJOB as the attributes
bull In FDP_IFF15 say ldquoanything other than that is deniedrdquo
bull In FDP_IFF12 FDP_IFF13 FDP_IFF14 express the rules for allowing it (left up to the ST author)
bull The other proposal is to create an Extended Component
bull The TC needs to discuss decide
13
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (5)
bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and
ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo
bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear
bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo
14
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (2)
bull The CC Users Forum had a very strong presence before and during ICCCbull Next CCUF-CCDB workshop ~ Istanbul ~ March 17 2014
bull Next ICCC was not announced at this ICCCbull It will be somewhere in India late September as usualbull My guess is that ICCC 2015 will be in Australia
3
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (3)
bull Some interesting presentations
bull Dag Stroumlman (CCMC chair and head of the SE scheme) reported on the ldquonew CCrdquo pilot project creating a USB PP It has been going on for a long time and no TC created yet
bull T-Systems presented ldquoHow to Create a Slim and Comprehensive PPrdquo a process that looked similar to how we did the IEEE 2600-series PPs (except that it clusters SFRs around TOE security functions)
4
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (4)
bull More interesting presentations
bull IPA presented ldquoVulnerability-Centric Assurance Activities for MFP PP as a candidate cPPrdquo which foretells how IPA might write assurance activities in the new MFP PP
bull IPA also published a major update to their MFP Vulnerabilities research paper this time in English too
bull In Japanese httpswwwipagojpsecurityjisecapdxdocuments20130312reportpdf
bull In English httpwwwipagojpsecurityjisecapdxdocuments20130312report_Epdf
5
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (5)
bull Yet more interesting presentations
bull ldquoExact Conformancerdquo was explained by Jim Arnold (but it may or may not match NIAPrsquos official but undocumented definition)
bull ldquoItrsquos Just a Printer ndash Lessons Learned over 10 Years of CC Evaluations by Xerox and CSCrdquo brilliantly presented by Alan Sukert and Lachlan Turner about how they reduced evaluation cost by 40
bull Presentations are published on the web site httpwwwfbcinccomeicccagendaaspxbull Photos and videos will be posted sometime
6
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (6)
bull CNSSP 11 was published before ICCCbull I set up a QampA session with NIAP at the CCUF-CCDB
workshop on the Friday before ICCCbull Janine Pedersen answered questions that were submitted in
advance and additional questions from the audiencebull NIAP asked me to not publish a transcript because they want
to make an official fact sheetbull They are working on a fact sheetbull Itrsquos pretty good
7
Copyright copy 2013 The Printer Working Group All rights reserved
Recap of Orlando F2F
bull A full day meetingbull 17 in-person attendees 4 people by telecon
bull 7 different vendors from 4 countriesbull 3 different labs 3 different CC schemes 3 different
consultancies and 2 others
bull Not much administrative progressbull IPA and NIAP people were busy with CCRA meetings
bull We addressed 34 technical commentsbull Proposed resolutions for 25 issuesbull Identified steps for further study on the other 9 issues
bull Made vague plans for periodic telecons F2F meetings
8
Copyright copy 2013 The Printer Working Group All rights reserved
Lots of comments were resolved
bull Some were implemented in draft 063bull Some were rejectedbull For details refer to the 2013-09-09 MFP TC F2F
summary posted on Teamlab httpsccusersforumteamlabcomproductsfilesdoceditoraspxaction=viewampfileid=3223222
9
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (1)
bull User authorization is defined too narrowlybull ldquoSuggest that 311 is too narrow Need to also include ldquoaccess
to datardquo Note that Para 91 says exactly that but only about faxesrdquo
bull Proposal remove the second half of ldquoNote that the TOE can receive a PSTN fax without any User authorization but the received Document is subject to access controlsrdquo
10
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (2)
bull Discussion on IampAampA failure including external authenticationbull ldquoThere was interesting discussion about external IampAampA and
what happens when it fails Same thing for external audit storage (should there be something like FIA_AFL and FAU_STG4 for those cases)rdquo
bull TC F2F action item look at Enterprise Security Management for how they handle this Maybe it is just put in the audit log
bull None of the NDPP or ESM PPs address this (see httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260161 for details)
bull Proposal dont worry about specifying how to handle failure of either external authentication services or external audit storage services
11
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (3)
bull Addition to the table 1 ie auditable events (4)bull ldquoFor ldquoModification to the grouphelliprdquo what additional info should
be collectedrdquobull TC F2F action item Look at Enterprise Security Management
to see what they dobull NDPP and ESM either donrsquot even audit the event or (in one
case) doesnrsquot collect additional information Details httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260163comments
bull Proposal dont collect any additional information in the MFP PP
12
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (4)
bull Term ldquonon-fax datardquo for information flow control SFRbull ldquoIn FDP_IFF1 the term ldquonon-fax datardquo was confusing to all
Need a new term or make an ECD (para173 and elsewhere)rdquobull TC F2F action item One proposal is to use DUSERDOC and
DUSERJOB as the attributes
bull In FDP_IFF15 say ldquoanything other than that is deniedrdquo
bull In FDP_IFF12 FDP_IFF13 FDP_IFF14 express the rules for allowing it (left up to the ST author)
bull The other proposal is to create an Extended Component
bull The TC needs to discuss decide
13
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (5)
bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and
ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo
bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear
bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo
14
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (3)
bull Some interesting presentations
bull Dag Stroumlman (CCMC chair and head of the SE scheme) reported on the ldquonew CCrdquo pilot project creating a USB PP It has been going on for a long time and no TC created yet
bull T-Systems presented ldquoHow to Create a Slim and Comprehensive PPrdquo a process that looked similar to how we did the IEEE 2600-series PPs (except that it clusters SFRs around TOE security functions)
4
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (4)
bull More interesting presentations
bull IPA presented ldquoVulnerability-Centric Assurance Activities for MFP PP as a candidate cPPrdquo which foretells how IPA might write assurance activities in the new MFP PP
bull IPA also published a major update to their MFP Vulnerabilities research paper this time in English too
bull In Japanese httpswwwipagojpsecurityjisecapdxdocuments20130312reportpdf
bull In English httpwwwipagojpsecurityjisecapdxdocuments20130312report_Epdf
5
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (5)
bull Yet more interesting presentations
bull ldquoExact Conformancerdquo was explained by Jim Arnold (but it may or may not match NIAPrsquos official but undocumented definition)
bull ldquoItrsquos Just a Printer ndash Lessons Learned over 10 Years of CC Evaluations by Xerox and CSCrdquo brilliantly presented by Alan Sukert and Lachlan Turner about how they reduced evaluation cost by 40
bull Presentations are published on the web site httpwwwfbcinccomeicccagendaaspxbull Photos and videos will be posted sometime
6
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (6)
bull CNSSP 11 was published before ICCCbull I set up a QampA session with NIAP at the CCUF-CCDB
workshop on the Friday before ICCCbull Janine Pedersen answered questions that were submitted in
advance and additional questions from the audiencebull NIAP asked me to not publish a transcript because they want
to make an official fact sheetbull They are working on a fact sheetbull Itrsquos pretty good
7
Copyright copy 2013 The Printer Working Group All rights reserved
Recap of Orlando F2F
bull A full day meetingbull 17 in-person attendees 4 people by telecon
bull 7 different vendors from 4 countriesbull 3 different labs 3 different CC schemes 3 different
consultancies and 2 others
bull Not much administrative progressbull IPA and NIAP people were busy with CCRA meetings
bull We addressed 34 technical commentsbull Proposed resolutions for 25 issuesbull Identified steps for further study on the other 9 issues
bull Made vague plans for periodic telecons F2F meetings
8
Copyright copy 2013 The Printer Working Group All rights reserved
Lots of comments were resolved
bull Some were implemented in draft 063bull Some were rejectedbull For details refer to the 2013-09-09 MFP TC F2F
summary posted on Teamlab httpsccusersforumteamlabcomproductsfilesdoceditoraspxaction=viewampfileid=3223222
9
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (1)
bull User authorization is defined too narrowlybull ldquoSuggest that 311 is too narrow Need to also include ldquoaccess
to datardquo Note that Para 91 says exactly that but only about faxesrdquo
bull Proposal remove the second half of ldquoNote that the TOE can receive a PSTN fax without any User authorization but the received Document is subject to access controlsrdquo
10
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (2)
bull Discussion on IampAampA failure including external authenticationbull ldquoThere was interesting discussion about external IampAampA and
what happens when it fails Same thing for external audit storage (should there be something like FIA_AFL and FAU_STG4 for those cases)rdquo
bull TC F2F action item look at Enterprise Security Management for how they handle this Maybe it is just put in the audit log
bull None of the NDPP or ESM PPs address this (see httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260161 for details)
bull Proposal dont worry about specifying how to handle failure of either external authentication services or external audit storage services
11
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (3)
bull Addition to the table 1 ie auditable events (4)bull ldquoFor ldquoModification to the grouphelliprdquo what additional info should
be collectedrdquobull TC F2F action item Look at Enterprise Security Management
to see what they dobull NDPP and ESM either donrsquot even audit the event or (in one
case) doesnrsquot collect additional information Details httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260163comments
bull Proposal dont collect any additional information in the MFP PP
12
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (4)
bull Term ldquonon-fax datardquo for information flow control SFRbull ldquoIn FDP_IFF1 the term ldquonon-fax datardquo was confusing to all
Need a new term or make an ECD (para173 and elsewhere)rdquobull TC F2F action item One proposal is to use DUSERDOC and
DUSERJOB as the attributes
bull In FDP_IFF15 say ldquoanything other than that is deniedrdquo
bull In FDP_IFF12 FDP_IFF13 FDP_IFF14 express the rules for allowing it (left up to the ST author)
bull The other proposal is to create an Extended Component
bull The TC needs to discuss decide
13
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (5)
bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and
ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo
bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear
bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo
14
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (4)
bull More interesting presentations
bull IPA presented ldquoVulnerability-Centric Assurance Activities for MFP PP as a candidate cPPrdquo which foretells how IPA might write assurance activities in the new MFP PP
bull IPA also published a major update to their MFP Vulnerabilities research paper this time in English too
bull In Japanese httpswwwipagojpsecurityjisecapdxdocuments20130312reportpdf
bull In English httpwwwipagojpsecurityjisecapdxdocuments20130312report_Epdf
5
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (5)
bull Yet more interesting presentations
bull ldquoExact Conformancerdquo was explained by Jim Arnold (but it may or may not match NIAPrsquos official but undocumented definition)
bull ldquoItrsquos Just a Printer ndash Lessons Learned over 10 Years of CC Evaluations by Xerox and CSCrdquo brilliantly presented by Alan Sukert and Lachlan Turner about how they reduced evaluation cost by 40
bull Presentations are published on the web site httpwwwfbcinccomeicccagendaaspxbull Photos and videos will be posted sometime
6
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (6)
bull CNSSP 11 was published before ICCCbull I set up a QampA session with NIAP at the CCUF-CCDB
workshop on the Friday before ICCCbull Janine Pedersen answered questions that were submitted in
advance and additional questions from the audiencebull NIAP asked me to not publish a transcript because they want
to make an official fact sheetbull They are working on a fact sheetbull Itrsquos pretty good
7
Copyright copy 2013 The Printer Working Group All rights reserved
Recap of Orlando F2F
bull A full day meetingbull 17 in-person attendees 4 people by telecon
bull 7 different vendors from 4 countriesbull 3 different labs 3 different CC schemes 3 different
consultancies and 2 others
bull Not much administrative progressbull IPA and NIAP people were busy with CCRA meetings
bull We addressed 34 technical commentsbull Proposed resolutions for 25 issuesbull Identified steps for further study on the other 9 issues
bull Made vague plans for periodic telecons F2F meetings
8
Copyright copy 2013 The Printer Working Group All rights reserved
Lots of comments were resolved
bull Some were implemented in draft 063bull Some were rejectedbull For details refer to the 2013-09-09 MFP TC F2F
summary posted on Teamlab httpsccusersforumteamlabcomproductsfilesdoceditoraspxaction=viewampfileid=3223222
9
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (1)
bull User authorization is defined too narrowlybull ldquoSuggest that 311 is too narrow Need to also include ldquoaccess
to datardquo Note that Para 91 says exactly that but only about faxesrdquo
bull Proposal remove the second half of ldquoNote that the TOE can receive a PSTN fax without any User authorization but the received Document is subject to access controlsrdquo
10
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (2)
bull Discussion on IampAampA failure including external authenticationbull ldquoThere was interesting discussion about external IampAampA and
what happens when it fails Same thing for external audit storage (should there be something like FIA_AFL and FAU_STG4 for those cases)rdquo
bull TC F2F action item look at Enterprise Security Management for how they handle this Maybe it is just put in the audit log
bull None of the NDPP or ESM PPs address this (see httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260161 for details)
bull Proposal dont worry about specifying how to handle failure of either external authentication services or external audit storage services
11
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (3)
bull Addition to the table 1 ie auditable events (4)bull ldquoFor ldquoModification to the grouphelliprdquo what additional info should
be collectedrdquobull TC F2F action item Look at Enterprise Security Management
to see what they dobull NDPP and ESM either donrsquot even audit the event or (in one
case) doesnrsquot collect additional information Details httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260163comments
bull Proposal dont collect any additional information in the MFP PP
12
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (4)
bull Term ldquonon-fax datardquo for information flow control SFRbull ldquoIn FDP_IFF1 the term ldquonon-fax datardquo was confusing to all
Need a new term or make an ECD (para173 and elsewhere)rdquobull TC F2F action item One proposal is to use DUSERDOC and
DUSERJOB as the attributes
bull In FDP_IFF15 say ldquoanything other than that is deniedrdquo
bull In FDP_IFF12 FDP_IFF13 FDP_IFF14 express the rules for allowing it (left up to the ST author)
bull The other proposal is to create an Extended Component
bull The TC needs to discuss decide
13
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (5)
bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and
ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo
bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear
bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo
14
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (5)
bull Yet more interesting presentations
bull ldquoExact Conformancerdquo was explained by Jim Arnold (but it may or may not match NIAPrsquos official but undocumented definition)
bull ldquoItrsquos Just a Printer ndash Lessons Learned over 10 Years of CC Evaluations by Xerox and CSCrdquo brilliantly presented by Alan Sukert and Lachlan Turner about how they reduced evaluation cost by 40
bull Presentations are published on the web site httpwwwfbcinccomeicccagendaaspxbull Photos and videos will be posted sometime
6
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (6)
bull CNSSP 11 was published before ICCCbull I set up a QampA session with NIAP at the CCUF-CCDB
workshop on the Friday before ICCCbull Janine Pedersen answered questions that were submitted in
advance and additional questions from the audiencebull NIAP asked me to not publish a transcript because they want
to make an official fact sheetbull They are working on a fact sheetbull Itrsquos pretty good
7
Copyright copy 2013 The Printer Working Group All rights reserved
Recap of Orlando F2F
bull A full day meetingbull 17 in-person attendees 4 people by telecon
bull 7 different vendors from 4 countriesbull 3 different labs 3 different CC schemes 3 different
consultancies and 2 others
bull Not much administrative progressbull IPA and NIAP people were busy with CCRA meetings
bull We addressed 34 technical commentsbull Proposed resolutions for 25 issuesbull Identified steps for further study on the other 9 issues
bull Made vague plans for periodic telecons F2F meetings
8
Copyright copy 2013 The Printer Working Group All rights reserved
Lots of comments were resolved
bull Some were implemented in draft 063bull Some were rejectedbull For details refer to the 2013-09-09 MFP TC F2F
summary posted on Teamlab httpsccusersforumteamlabcomproductsfilesdoceditoraspxaction=viewampfileid=3223222
9
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (1)
bull User authorization is defined too narrowlybull ldquoSuggest that 311 is too narrow Need to also include ldquoaccess
to datardquo Note that Para 91 says exactly that but only about faxesrdquo
bull Proposal remove the second half of ldquoNote that the TOE can receive a PSTN fax without any User authorization but the received Document is subject to access controlsrdquo
10
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (2)
bull Discussion on IampAampA failure including external authenticationbull ldquoThere was interesting discussion about external IampAampA and
what happens when it fails Same thing for external audit storage (should there be something like FIA_AFL and FAU_STG4 for those cases)rdquo
bull TC F2F action item look at Enterprise Security Management for how they handle this Maybe it is just put in the audit log
bull None of the NDPP or ESM PPs address this (see httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260161 for details)
bull Proposal dont worry about specifying how to handle failure of either external authentication services or external audit storage services
11
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (3)
bull Addition to the table 1 ie auditable events (4)bull ldquoFor ldquoModification to the grouphelliprdquo what additional info should
be collectedrdquobull TC F2F action item Look at Enterprise Security Management
to see what they dobull NDPP and ESM either donrsquot even audit the event or (in one
case) doesnrsquot collect additional information Details httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260163comments
bull Proposal dont collect any additional information in the MFP PP
12
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (4)
bull Term ldquonon-fax datardquo for information flow control SFRbull ldquoIn FDP_IFF1 the term ldquonon-fax datardquo was confusing to all
Need a new term or make an ECD (para173 and elsewhere)rdquobull TC F2F action item One proposal is to use DUSERDOC and
DUSERJOB as the attributes
bull In FDP_IFF15 say ldquoanything other than that is deniedrdquo
bull In FDP_IFF12 FDP_IFF13 FDP_IFF14 express the rules for allowing it (left up to the ST author)
bull The other proposal is to create an Extended Component
bull The TC needs to discuss decide
13
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (5)
bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and
ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo
bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear
bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo
14
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Notes from ICCC (6)
bull CNSSP 11 was published before ICCCbull I set up a QampA session with NIAP at the CCUF-CCDB
workshop on the Friday before ICCCbull Janine Pedersen answered questions that were submitted in
advance and additional questions from the audiencebull NIAP asked me to not publish a transcript because they want
to make an official fact sheetbull They are working on a fact sheetbull Itrsquos pretty good
7
Copyright copy 2013 The Printer Working Group All rights reserved
Recap of Orlando F2F
bull A full day meetingbull 17 in-person attendees 4 people by telecon
bull 7 different vendors from 4 countriesbull 3 different labs 3 different CC schemes 3 different
consultancies and 2 others
bull Not much administrative progressbull IPA and NIAP people were busy with CCRA meetings
bull We addressed 34 technical commentsbull Proposed resolutions for 25 issuesbull Identified steps for further study on the other 9 issues
bull Made vague plans for periodic telecons F2F meetings
8
Copyright copy 2013 The Printer Working Group All rights reserved
Lots of comments were resolved
bull Some were implemented in draft 063bull Some were rejectedbull For details refer to the 2013-09-09 MFP TC F2F
summary posted on Teamlab httpsccusersforumteamlabcomproductsfilesdoceditoraspxaction=viewampfileid=3223222
9
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (1)
bull User authorization is defined too narrowlybull ldquoSuggest that 311 is too narrow Need to also include ldquoaccess
to datardquo Note that Para 91 says exactly that but only about faxesrdquo
bull Proposal remove the second half of ldquoNote that the TOE can receive a PSTN fax without any User authorization but the received Document is subject to access controlsrdquo
10
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (2)
bull Discussion on IampAampA failure including external authenticationbull ldquoThere was interesting discussion about external IampAampA and
what happens when it fails Same thing for external audit storage (should there be something like FIA_AFL and FAU_STG4 for those cases)rdquo
bull TC F2F action item look at Enterprise Security Management for how they handle this Maybe it is just put in the audit log
bull None of the NDPP or ESM PPs address this (see httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260161 for details)
bull Proposal dont worry about specifying how to handle failure of either external authentication services or external audit storage services
11
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (3)
bull Addition to the table 1 ie auditable events (4)bull ldquoFor ldquoModification to the grouphelliprdquo what additional info should
be collectedrdquobull TC F2F action item Look at Enterprise Security Management
to see what they dobull NDPP and ESM either donrsquot even audit the event or (in one
case) doesnrsquot collect additional information Details httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260163comments
bull Proposal dont collect any additional information in the MFP PP
12
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (4)
bull Term ldquonon-fax datardquo for information flow control SFRbull ldquoIn FDP_IFF1 the term ldquonon-fax datardquo was confusing to all
Need a new term or make an ECD (para173 and elsewhere)rdquobull TC F2F action item One proposal is to use DUSERDOC and
DUSERJOB as the attributes
bull In FDP_IFF15 say ldquoanything other than that is deniedrdquo
bull In FDP_IFF12 FDP_IFF13 FDP_IFF14 express the rules for allowing it (left up to the ST author)
bull The other proposal is to create an Extended Component
bull The TC needs to discuss decide
13
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (5)
bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and
ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo
bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear
bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo
14
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Recap of Orlando F2F
bull A full day meetingbull 17 in-person attendees 4 people by telecon
bull 7 different vendors from 4 countriesbull 3 different labs 3 different CC schemes 3 different
consultancies and 2 others
bull Not much administrative progressbull IPA and NIAP people were busy with CCRA meetings
bull We addressed 34 technical commentsbull Proposed resolutions for 25 issuesbull Identified steps for further study on the other 9 issues
bull Made vague plans for periodic telecons F2F meetings
8
Copyright copy 2013 The Printer Working Group All rights reserved
Lots of comments were resolved
bull Some were implemented in draft 063bull Some were rejectedbull For details refer to the 2013-09-09 MFP TC F2F
summary posted on Teamlab httpsccusersforumteamlabcomproductsfilesdoceditoraspxaction=viewampfileid=3223222
9
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (1)
bull User authorization is defined too narrowlybull ldquoSuggest that 311 is too narrow Need to also include ldquoaccess
to datardquo Note that Para 91 says exactly that but only about faxesrdquo
bull Proposal remove the second half of ldquoNote that the TOE can receive a PSTN fax without any User authorization but the received Document is subject to access controlsrdquo
10
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (2)
bull Discussion on IampAampA failure including external authenticationbull ldquoThere was interesting discussion about external IampAampA and
what happens when it fails Same thing for external audit storage (should there be something like FIA_AFL and FAU_STG4 for those cases)rdquo
bull TC F2F action item look at Enterprise Security Management for how they handle this Maybe it is just put in the audit log
bull None of the NDPP or ESM PPs address this (see httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260161 for details)
bull Proposal dont worry about specifying how to handle failure of either external authentication services or external audit storage services
11
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (3)
bull Addition to the table 1 ie auditable events (4)bull ldquoFor ldquoModification to the grouphelliprdquo what additional info should
be collectedrdquobull TC F2F action item Look at Enterprise Security Management
to see what they dobull NDPP and ESM either donrsquot even audit the event or (in one
case) doesnrsquot collect additional information Details httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260163comments
bull Proposal dont collect any additional information in the MFP PP
12
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (4)
bull Term ldquonon-fax datardquo for information flow control SFRbull ldquoIn FDP_IFF1 the term ldquonon-fax datardquo was confusing to all
Need a new term or make an ECD (para173 and elsewhere)rdquobull TC F2F action item One proposal is to use DUSERDOC and
DUSERJOB as the attributes
bull In FDP_IFF15 say ldquoanything other than that is deniedrdquo
bull In FDP_IFF12 FDP_IFF13 FDP_IFF14 express the rules for allowing it (left up to the ST author)
bull The other proposal is to create an Extended Component
bull The TC needs to discuss decide
13
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (5)
bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and
ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo
bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear
bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo
14
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Lots of comments were resolved
bull Some were implemented in draft 063bull Some were rejectedbull For details refer to the 2013-09-09 MFP TC F2F
summary posted on Teamlab httpsccusersforumteamlabcomproductsfilesdoceditoraspxaction=viewampfileid=3223222
9
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (1)
bull User authorization is defined too narrowlybull ldquoSuggest that 311 is too narrow Need to also include ldquoaccess
to datardquo Note that Para 91 says exactly that but only about faxesrdquo
bull Proposal remove the second half of ldquoNote that the TOE can receive a PSTN fax without any User authorization but the received Document is subject to access controlsrdquo
10
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (2)
bull Discussion on IampAampA failure including external authenticationbull ldquoThere was interesting discussion about external IampAampA and
what happens when it fails Same thing for external audit storage (should there be something like FIA_AFL and FAU_STG4 for those cases)rdquo
bull TC F2F action item look at Enterprise Security Management for how they handle this Maybe it is just put in the audit log
bull None of the NDPP or ESM PPs address this (see httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260161 for details)
bull Proposal dont worry about specifying how to handle failure of either external authentication services or external audit storage services
11
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (3)
bull Addition to the table 1 ie auditable events (4)bull ldquoFor ldquoModification to the grouphelliprdquo what additional info should
be collectedrdquobull TC F2F action item Look at Enterprise Security Management
to see what they dobull NDPP and ESM either donrsquot even audit the event or (in one
case) doesnrsquot collect additional information Details httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260163comments
bull Proposal dont collect any additional information in the MFP PP
12
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (4)
bull Term ldquonon-fax datardquo for information flow control SFRbull ldquoIn FDP_IFF1 the term ldquonon-fax datardquo was confusing to all
Need a new term or make an ECD (para173 and elsewhere)rdquobull TC F2F action item One proposal is to use DUSERDOC and
DUSERJOB as the attributes
bull In FDP_IFF15 say ldquoanything other than that is deniedrdquo
bull In FDP_IFF12 FDP_IFF13 FDP_IFF14 express the rules for allowing it (left up to the ST author)
bull The other proposal is to create an Extended Component
bull The TC needs to discuss decide
13
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (5)
bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and
ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo
bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear
bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo
14
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (1)
bull User authorization is defined too narrowlybull ldquoSuggest that 311 is too narrow Need to also include ldquoaccess
to datardquo Note that Para 91 says exactly that but only about faxesrdquo
bull Proposal remove the second half of ldquoNote that the TOE can receive a PSTN fax without any User authorization but the received Document is subject to access controlsrdquo
10
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (2)
bull Discussion on IampAampA failure including external authenticationbull ldquoThere was interesting discussion about external IampAampA and
what happens when it fails Same thing for external audit storage (should there be something like FIA_AFL and FAU_STG4 for those cases)rdquo
bull TC F2F action item look at Enterprise Security Management for how they handle this Maybe it is just put in the audit log
bull None of the NDPP or ESM PPs address this (see httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260161 for details)
bull Proposal dont worry about specifying how to handle failure of either external authentication services or external audit storage services
11
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (3)
bull Addition to the table 1 ie auditable events (4)bull ldquoFor ldquoModification to the grouphelliprdquo what additional info should
be collectedrdquobull TC F2F action item Look at Enterprise Security Management
to see what they dobull NDPP and ESM either donrsquot even audit the event or (in one
case) doesnrsquot collect additional information Details httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260163comments
bull Proposal dont collect any additional information in the MFP PP
12
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (4)
bull Term ldquonon-fax datardquo for information flow control SFRbull ldquoIn FDP_IFF1 the term ldquonon-fax datardquo was confusing to all
Need a new term or make an ECD (para173 and elsewhere)rdquobull TC F2F action item One proposal is to use DUSERDOC and
DUSERJOB as the attributes
bull In FDP_IFF15 say ldquoanything other than that is deniedrdquo
bull In FDP_IFF12 FDP_IFF13 FDP_IFF14 express the rules for allowing it (left up to the ST author)
bull The other proposal is to create an Extended Component
bull The TC needs to discuss decide
13
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (5)
bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and
ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo
bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear
bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo
14
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (2)
bull Discussion on IampAampA failure including external authenticationbull ldquoThere was interesting discussion about external IampAampA and
what happens when it fails Same thing for external audit storage (should there be something like FIA_AFL and FAU_STG4 for those cases)rdquo
bull TC F2F action item look at Enterprise Security Management for how they handle this Maybe it is just put in the audit log
bull None of the NDPP or ESM PPs address this (see httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260161 for details)
bull Proposal dont worry about specifying how to handle failure of either external authentication services or external audit storage services
11
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (3)
bull Addition to the table 1 ie auditable events (4)bull ldquoFor ldquoModification to the grouphelliprdquo what additional info should
be collectedrdquobull TC F2F action item Look at Enterprise Security Management
to see what they dobull NDPP and ESM either donrsquot even audit the event or (in one
case) doesnrsquot collect additional information Details httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260163comments
bull Proposal dont collect any additional information in the MFP PP
12
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (4)
bull Term ldquonon-fax datardquo for information flow control SFRbull ldquoIn FDP_IFF1 the term ldquonon-fax datardquo was confusing to all
Need a new term or make an ECD (para173 and elsewhere)rdquobull TC F2F action item One proposal is to use DUSERDOC and
DUSERJOB as the attributes
bull In FDP_IFF15 say ldquoanything other than that is deniedrdquo
bull In FDP_IFF12 FDP_IFF13 FDP_IFF14 express the rules for allowing it (left up to the ST author)
bull The other proposal is to create an Extended Component
bull The TC needs to discuss decide
13
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (5)
bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and
ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo
bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear
bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo
14
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (3)
bull Addition to the table 1 ie auditable events (4)bull ldquoFor ldquoModification to the grouphelliprdquo what additional info should
be collectedrdquobull TC F2F action item Look at Enterprise Security Management
to see what they dobull NDPP and ESM either donrsquot even audit the event or (in one
case) doesnrsquot collect additional information Details httpsccusersforumteamlabcomproductsprojectsmessagesaspxprjID=239468ampid=260163comments
bull Proposal dont collect any additional information in the MFP PP
12
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (4)
bull Term ldquonon-fax datardquo for information flow control SFRbull ldquoIn FDP_IFF1 the term ldquonon-fax datardquo was confusing to all
Need a new term or make an ECD (para173 and elsewhere)rdquobull TC F2F action item One proposal is to use DUSERDOC and
DUSERJOB as the attributes
bull In FDP_IFF15 say ldquoanything other than that is deniedrdquo
bull In FDP_IFF12 FDP_IFF13 FDP_IFF14 express the rules for allowing it (left up to the ST author)
bull The other proposal is to create an Extended Component
bull The TC needs to discuss decide
13
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (5)
bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and
ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo
bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear
bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo
14
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (4)
bull Term ldquonon-fax datardquo for information flow control SFRbull ldquoIn FDP_IFF1 the term ldquonon-fax datardquo was confusing to all
Need a new term or make an ECD (para173 and elsewhere)rdquobull TC F2F action item One proposal is to use DUSERDOC and
DUSERJOB as the attributes
bull In FDP_IFF15 say ldquoanything other than that is deniedrdquo
bull In FDP_IFF12 FDP_IFF13 FDP_IFF14 express the rules for allowing it (left up to the ST author)
bull The other proposal is to create an Extended Component
bull The TC needs to discuss decide
13
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (5)
bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and
ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo
bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear
bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo
14
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (5)
bull Addition to the table 1 ie auditable events (1 amp 2)bull 1 Add ldquoJob submissionrdquo with additional info ldquotyperdquo and
ldquoidentifierrdquo2 Add to ldquoJob completionrdquo the additional info ldquoidentifierrdquo and ldquocompletion statusrdquo
bull TC F2F action item vendors need to see if this is a standard practice in existing logs The security-relevant purpose of this was not clear
bull Also we need an answer about adding audit events beyond the PP requirements ndash does that violate ldquoexact compliancerdquo
14
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (6)
bull Audit log specification proposed by PWGbull ldquoPWG has created an audit log spec We should look at that for
potentially important events to log Also look at the NDPP log requirements (Table 1)rdquo
bull TC F2F recommendation
bull We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability)
bull Instead we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto communications and log requirements
bull It was noted that the audit requirements from NIAP and IPA may change over time so we will need to re-check
15
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Currently open issues (7)
bull Not sure that these OSPs are necessarybull ldquo[very lengthy comment from Mario about OSPs]rdquo
16
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Updates from NIAP and IPA
bull Nothing
17
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Plans and Schedules
bull NIAP updated their PP development schedule page and they show the MFP PP completion in Q4 2014
18
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-
Copyright copy 2013 The Printer Working Group All rights reserved
Open Discussion
19
- MFP Technical Community Vendor F2F
-