1Copyright © 2013 The Printer Working Group. All rights reserved. MFP Technical Community Vendor F2F 1 Agenda Notes from ICCC Recap of the F2F meeting in Orlando Discussion of currently open issues and proposed resolutions er=descending&text=[issue] er=descending&text=[issue Updates from NIAP and IPA (if any) Plans and schedules Open discussion
Copyright © 2013 The Printer Working Group. All rights reserved. Notes from ICCC (1) The theme was Collaboration Major news items CNSSP #11 published (before ICCC) India elevated to certificate authorizing scheme All CCRA members agree in principle to new CC Recognition Arrangement 2
Copyright © 2013 The Printer Working Group. All rights reserved. Notes from ICCC (2) The CC Users Forum had a very strong presence before and during ICCC Next CCUF-CCDB workshop ~ Istanbul, ~ March Next ICCC was not announced at this ICCC It will be somewhere in India, late September as usual My guess is that ICCC 2015 will be in Australia 3
Copyright © 2013 The Printer Working Group. All rights reserved. Notes from ICCC (3) Some interesting presentations Dag Ströman (CCMC chair and head of the SE scheme) reported on the new CC pilot project creating a USB PP. It has been going on for a long time, and no TC created yet. T-Systems presented How to Create a Slim and Comprehensive PP, a process that looked similar to how we did the IEEE 2600-series PPs (except that it clusters SFRs around TOE security functions). 4
Copyright © 2013 The Printer Working Group. All rights reserved. Notes from ICCC (4) More interesting presentations IPA presented Vulnerability-Centric Assurance Activities for MFP PP as a candidate cPP, which foretells how IPA might write assurance activities in the new MFP PP. IPA also published a major update to their MFP Vulnerabilities research paper, this time in English too! In Japanese: report.pdf report.pdf In English: report_E.pdf report_E.pdf 5
Copyright © 2013 The Printer Working Group. All rights reserved. Notes from ICCC (5) Yet more interesting presentations Exact Conformance was explained by Jim Arnold (but it may or may not match NIAPs official but undocumented definition). Its Just a Printer – Lessons Learned over 10 Years of CC Evaluations by Xerox and CSC, brilliantly presented by Alan Sukert and Lachlan Turner, about how they reduced evaluation cost by 40%. Presentations are published on the web site: Photos and videos will be posted, sometime? 6
Copyright © 2013 The Printer Working Group. All rights reserved. Notes from ICCC (6) CNSSP #11 was published before ICCC I set up a Q&A session with NIAP at the CCUF-CCDB workshop on the Friday before ICCC Janine Pedersen answered questions that were submitted in advance and additional questions from the audience NIAP asked me to not publish a transcript because they want to make an official fact sheet They are working on a fact sheet Its pretty good 7
Copyright © 2013 The Printer Working Group. All rights reserved. Recap of Orlando F2F A full day meeting 17 in-person attendees, 4 people by telecon 7 different vendors from 4 countries 3 different labs, 3 different CC schemes, 3 different consultancies, and 2 others Not much administrative progress IPA and NIAP people were busy with CCRA meetings We addressed 34 technical comments Proposed resolutions for 25 issues Identified steps for further study on the other 9 issues Made vague plans for periodic telecons, F2F meetings 8
Copyright © 2013 The Printer Working Group. All rights reserved. Lots of comments were resolved Some were implemented in draft Some were rejected For details, refer to the MFP TC F2F summary, posted on Teamlab editor.aspx?action=view&fileid= editor.aspx?action=view&fileid=
Copyright © 2013 The Printer Working Group. All rights reserved. Currently open issues (1) User authorization is defined too narrowly Suggest that is too narrow. Need to also include access to data. Note that Para 91 says exactly that, but only about faxes. Proposal: remove the second half of Note that the TOE can receive a PSTN fax without any User authorization, but the received Document is subject to access controls. 10
Copyright © 2013 The Printer Working Group. All rights reserved. Currently open issues (2) Discussion on I&A&A failure including external authentication There was interesting discussion about external I&A&A and what happens when it fails. Same thing for external audit storage. (should there be something like FIA_AFL and FAU_STG.4 for those cases?) TC F2F action item: look at Enterprise Security Management for how they handle this. Maybe it is just put in the audit log. None of the NDPP or ESM PPs address this (see s.aspx?prjID=239468&id= for details) s.aspx?prjID=239468&id= Proposal: don't worry about specifying how to handle failure of either external authentication services or external audit storage services. 11
Copyright © 2013 The Printer Working Group. All rights reserved. Currently open issues (3) Addition to the table 1, i.e. auditable events (4) For Modification to the group… what additional info should be collected? TC F2F action item: Look at Enterprise Security Management to see what they do. NDPP and ESM either dont even audit the event or (in one case) doesnt collect additional information. Details: s.aspx?prjID=239468&id=260163#comments s.aspx?prjID=239468&id=260163#comments Proposal: don't collect any additional information in the MFP PP. 12
Copyright © 2013 The Printer Working Group. All rights reserved. Currently open issues (4) Term non-fax data for information flow control SFR In FDP_IFF.1 the term non-fax data was confusing to all. Need a new term, or make an ECD. (¶173 and elsewhere) TC F2F action item: One proposal is to use D.USER.DOC and D.USER.JOB as the attributes: In FDP_IFF.1.5 say anything other than that is denied In FDP_IFF.1.2, FDP_IFF.1.3, FDP_IFF.1.4, express the rules for allowing it (left up to the ST author) The other proposal is to create an Extended Component. The TC needs to discuss / decide. 13
Copyright © 2013 The Printer Working Group. All rights reserved. Currently open issues (5) Addition to the table 1, i.e. auditable events (1 & 2) 1. Add Job submission with additional info type and identifier 2. Add to Job completion the additional info identifier and completion status TC F2F action item: vendors need to see if this is a standard practice in existing logs. The security-relevant purpose of this was not clear. Also, we need an answer about adding audit events beyond the PP requirements – does that violate exact compliance? 14
Copyright © 2013 The Printer Working Group. All rights reserved. Currently open issues (6) Audit log specification proposed by PWG PWG has created an audit log spec. We should look at that for potentially important events to log. Also look at the NDPP log requirements. (Table 1) TC F2F recommendation: We are not looking for additional audit requirements for certification purposes (nor format requirements for interoperability). Instead, we should look at the Enterprise Security Management PPs (including draft updates) and NDPP (including errata) for crypto, communications, and log requirements. It was noted that the audit requirements from NIAP and IPA may change over time, so we will need to re-check. 15
Copyright © 2013 The Printer Working Group. All rights reserved. Currently open issues (7) Not sure that these OSPs are necessary [very lengthy comment from Mario about OSPs] 16
Copyright © 2013 The Printer Working Group. All rights reserved. Updates from NIAP and IPA Nothing! 17
Copyright © 2013 The Printer Working Group. All rights reserved. Plans and Schedules NIAP updated their PP development schedule page and they show the MFP PP completion in Q
Copyright © 2013 The Printer Working Group. All rights reserved. Open Discussion 19