P2600 Hardcopy Device and System Security April 2004 Working Group Meeting Don Wright Director, Alliances & Standards Lexmark International don@lexmark.com 2/22/2019
Agenda April 19, 2004 8:30 Continental Breakfast 9:00 Opening, Intros, etc. 9:15 IEEE Patent Policy 9:30 Developing Protection Profiles - Mario Tinto (Aerospace Corp) 10:30 Break 10:45 Protection Profile Proposal - Mr. Yuusuke Ohta (Ricoh) 12:40 Lunch 2:15 Protection Profile Discussions 5:30 Wrap-up April 20, 2004 8:30 Continental Breakfast 9:00 Opening, Intros, etc. 9:15 Document Development 12:00 Lunch 1:00 Resume Document Development 2:30 Review future meeting plan 3:00 Wrap-up 2/22/2019
Instructions for the WG Chair At Each Meeting, the Working Group Chair shall: Show slides #1 and #2 of this presentation Advise the WG membership that: The IEEE’s Patent Policy is consistent with the ANSI patent policy and is described in Clause 6 of the IEEE SA Standards Board Bylaws; Early disclosure of patents which may be essential for the use of standards under development is encouraged; Disclosures made of such patents may not be exhaustive of all patents that may be essential for the use of standards under development, and that neither the IEEE, the WG nor the WG Chairman ensure the accuracy or completeness of any disclosure or whether any disclosure is of a patent that in fact may be essential for the use of standards under development. Instruct the WG Secretary to record in the minutes of the relevant WG meeting: that the foregoing advice was provided and the two slides were shown; that an opportunity was provided for WG members to identify or disclose patents that the WG member believes may be essential for the use of that standard; any responses that were given, specifically the patents and patent applications that were identified (if any) and by whom. 2/22/2019 (Not necessary to be shown) Approved by IEEE-SA Standards Board – March 2003 (Revised Feb 2004)
IEEE-SA Standards Board Bylaws on Patents in Standards IEEE standards may include the known use of essential patents and patent applications provided the IEEE receives assurance from the patent holder or applicant with respect to patents whose infringement is, or in the case of patent applications, potential future infringement the applicant asserts will be, unavoidable in a compliant implementation of either mandatory or optional portions of the standard [essential patents]. This assurance shall be provided without coercion and prior to approval of the standard (or reaffirmation when a patent or patent application becomes known after initial approval of the standard). This assurance shall be a letter that is in the form of either: a) A general disclaimer to the effect that the patentee will not enforce any of its present or future patent(s) whose use would be required to implement either mandatory or optional potions of the proposed IEEE standard against any person or entity complying with the standard; or b) A statement that a license for such implementation will be made available without compensation or under reasonable rates, with reasonable terms and conditions that are demonstrably free of any unfair discrimination. This assurance shall apply, at a minimum, from the date of the standard's approval to the date of the standard's withdrawal and is irrevocable during that period. 2/22/2019 Slide #1 Approved by IEEE-SA Standards Board – March 2003 (Revised February 2004)
Inappropriate Topics for IEEE WG Meetings Don’t discuss licensing terms or conditions Don’t discuss product pricing, territorial restrictions or market share Don’t discuss ongoing litigation or threatened litigation Don’t be silent if inappropriate topics are discussed… do formally object. If you have questions, contact the IEEE-SA Standards Board Patent Committee Administrator at patcom@ieee.org or visit http://standards.ieee.org/board/pat/index.html 2/22/2019 Slide #2 Approved by IEEE-SA Standards Board – March 2003 (Revised February 2004)
Officers Chair: Don Wright, Lexmark Vice Chair: Lee Farrell, Canon Secretary: Steffan Deschrijver, Print4Sight Editors: Brian Volkoff Jerry Thrasher Ron Bergman Stefaan DeSchrijver 2/22/2019
Mailing List and Web Site Listserv run by the IEEE An archive is available on the web site Subscribe via a note to: listserv@listserv.ieee.org containing the line: subscribe stds-2600 Only subscribers may send e-mail to the mailing list. 2/22/2019
Action Items Begin developing draft document based on CSPP - Guidance for COTS Security Protection Profiles (http://csrc.nist.gov/publications/nistir/ir6462.pdf) Introduction – D.W. -- posted TOE Description – J.T. -- posted Security Environment (Multiple environments) – P.C. Security Assumptions Organizational Policies Role/Vulnerabilities/Exploitations – S.D. -- posted Security Objectives – B.V. Security Requirements TOE Functional Security IT Functional Security Non-IT Functional Security Requirements Assurance Requirements Rationale Appendix TOE Functional Requirements Additional Details TOE Assurance Requirements Additional Details IT Environment Functional Requirements Additional Details Other Security Consideration Encryption Certification (FIPS in the US) System Considerations 2/22/2019
Presentation/Forum Developing Protection Profiles Mario Tinto Aerospace Corp 2/22/2019
Presentation/Proposal Protection Profile Proposal Mr. Yuusuke Ohta Ricoh 2/22/2019
Content of Standard IEEE standards include but are not limited to: Lists of terms, definitions, or symbols, applicable to any field of science or technology within the scope of the IEEE. Expositions of scientific methods of measurement or tests of the parameters or performance of any device, apparatus, system, or phenomenon associated with the art, science, or technology of any field within the scope of the IEEE. Characteristics, performance, and safety requirements associated with devices, equipment, and systems with engineering installations. Recommendations reflecting current state-of-the-art in the application of engineering principles to any field of technology within the scope of the IEEE. IEEE standards are classified as: Standards: documents with mandatory requirements. Recommended practices: documents in which procedures and positions preferred by the IEEE are presented. Guides: documents in which alternative approaches to good practice are suggested but no clear-cut recommendations are made. Trial-Use documents: publications that are effective for not more than two years. They can be any of the categories of standards publications listed above. 2/22/2019
Document Editor(s) Create drafts Publish on web site Respond to comments Maintain change history Volunteers: Brian V. Jerry T. Ron Bergman Stefaan DeSchrijver 2/22/2019
Content of Standard CSPP - Guidance for COTS Security Protection Profiles (http://csrc.nist.gov/publications/nistir/ir6462.pdf) Introduction – D.W. TOE Description – J.T. Security Environment (Multiple environments) – P.C. Security Assumptions Organizational Policies Role/Vulnerabilities/Exploitations – S.D. Security Objectives – B.V. Functional Security Requirements Assurance Requirements Appendix TOE Functional Requirements Details TOE Assurance Requirements Details IT Environment Functional Requirements Other Security Consideration Encryption Certification (FIPS in the US) System Considerations 2/22/2019
Content of Standard Is there one and only one profile or is there a way to divide or segment the profile? A profile could have objectives that are based on the security environment. Increasing objectives for increasing security risk. The profiles could then be broken down into categories (network, harddisk, etc.) where the security objectives are conditionally mandatory. (Requires some degree of modularity within the device.) Try to get people from NIST/NIAP to attend and present at the Washington DC meeting on the viability to this approach to creating a protection profile. 2/22/2019
Day 2 April 20, 2004 8:30 Continental Breakfast 9:00 Opening, Intros, etc. 9:15 Document Development* 12:00 Lunch 1:00 Resume Document Development 2:30 Review future meeting plan 3:00 Wrap-up * Work assignments to be made 2/22/2019
Issues Should the P2600 Standard contain actual PPs against which devices could be tested? - YES Do we need to create multiple profiles targeted at market segments with differing security needs (e.g. High (Govt. Security Agencies) vs Medium (e.g. HIPAA, GLB compliance) vs Basic (e.g. general office))? - YES What else needs to be in the standard? Threats/Vulnerabilities Techniques to mitigate above Which profiles cover which Threats Intended use of the profiles – are they guidance or requirements presented in the form of a PP? What system dependencies (e.g. encrypted print jobs) exist. 2/22/2019
Threat Domains Confidentiality Integrity Availability Asset: User Documents, MFPs, Comfiguration files, Supplies, Audit/Utilization data, other equipment on the network Agents: Who: User, Admin, Hacker and their skill level: Novice, Expert, Highly skilled (bespoke) 2/22/2019
Schedule The PAR included estimates of the end-points of the schedule: Sponsor Ballot: June 2005 Submission to RevCom: Feb 2006 Future Meetings June 2-3, Xerox, El Segundo, CA M1 Bldg, on S. Aviation Blvd between Utah and Alaska No contracted hotel August 19-20, with PWG in Montreal October 6-7, with PWG, in Lexington KY November 18-19, with PWG, San Antonio 2/22/2019