Common Criteria update on International Network Device Protection Profile
from Amsterdam F2F last week, for CCUF report at IDS session tomorrow.
Ira McDonald (Musician / Software Architect)
Co-Chair - TCG Trusted Mobility Solutions WG
Chair - Linux Foundation Open Printing WG
Secretary - IEEE-ISTO Printer Working Group
Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
IETF Designated Expert - IPP & Printer MIB
Blue Roof Music / High North Inc
mailto: blueroofmusic at gmail.com
Jan-April: 579 Park Place Saline, MI 48176 734-944-0094
May-Dec: PO Box 221 Grand Marais, MI 49839 906-494-2434
---------- Forwarded message ----------
From: Common Criteria Users' Forum <postman at notify.onlyoffice.com>
Date: Tue, May 2, 2017 at 9:45 AM
Subject: Projects [Network iTC]. New discussion: CCUF Amsterdam Follow-Up
To: blueroofmusic at gmail.com
[image: ONLYOFFICE] <http://www.onlyoffice.com/>
New discussion created: CCUF Amsterdam Follow-Up
5/2/2017 9:45:13 AM Mark Jackson
has started a new discussion: CCUF Amsterdam Follow-Up
Great to catch up with some of you face to face in Amsterdam last week. I
know many of your couldn't make the event and so thought I'd share a few
highlights from the meeting we held, along with a pointer to the slides
- I provided an update as to where we are with NDcPP and ND SD version
2. We are very close now. We have one issue to resolve on the cPP which is
undergoing a review with NIAP but otherwise this is now done. I'm aiming to
have this closed by this week. The SD is undergoing a final editorial
review and so may be a little behind the cPP as it undergoes some final
consistency checks before being released. But its should't be too far
behind and I'd certainly like to see this released next week also.
- I've been asked about a detailed change log for version 2. This is
going to be very difficult to provide, not least because of the lack of
tooling that is enabling us to track each and every issue. In addition,
we've made so many changes to the documents that it would be a very
extensive list - so extensive that it wouldn't really serve any purpose. I
will update the change document I published during the public review and
will also be publishing the consolidated comment forms for the cPP and SD.
Together they should give a sense of what has changed.
- I talked a little about the editorial process that the team had ben
following, just so there was some transparency over what we've been doing
for the past few months. The details are in the slides so I won't repeat it
all here. I'm planning to publish the process so that we can re-use as a
standard process for the iTC going forward.
- We talked about major and minor versioning with regards the cPP and SD
as we all recognise that we have a number of elements that need a much
shorter 'fix' time that 2-3 years. Tony talked about his ideas about having
a regular minor version update that would focus on minor updates to the
documents, covering such things as;
- Fixes that are unable to be incorporated in to the previous version
(due to timescales or scale of fix)
- NIT Technical Decisions
- Some of the versioning conversation relies on how schemes adopt our
approach - details which still need to be worked on.
- We talked about version 2.1 as being a great trial for our
first minor. This will be tightly scoped to a defined set of changes and
the plan is, that as a minor version, will not be subject to the external
public review cycle we would perform for a major version. Instead, it would
receive an internal iTC only review. Furthermore, the editorial team will
focus on comments/feedback associated with the changed elements of the
cPP/SD, not comments that impact the wider document - unless they are of a
- We talked also about the need to review the current basis for the cPP
and SD. At a combined page count of > 400 pages, it is getting increasingly
difficult to manage the documents and make use of them. We discussed the
need to review the validity of some of the requirements and ensure that
they remain applicable in the fact of the threats we're trying to protect
against. This will be a long-term project and will run in parallel to other
developmental activity. Details of this approach are yet to be defined.
I think this captures the highlights. It was a lively and engaged debate
which is good as there is much still do do within the iTC. If you have
questions or comments, please add them to the thread.
Slides from the session can be found at https://ccusersforum.
-------------- next part --------------
An HTML attachment was scrubbed...