Don Wright Director of Standards Lexmark International don@lexmark.com P2600 Hardcopy Device and System Security April 2007 Working Group Meeting Don Wright Director of Standards Lexmark International don@lexmark.com 4/12/2019
Wireless SSID = IEEE or IEEE-alt, launch your browser If you don’t have an IEEE Web Account, sign in as a guest, then... Get a Guest Web account at: http://www.ieee.org/web/accounts Click on 2nd “Register for IEEE Web Account” Click on “Create your Guest Web Account Now” Fill out the requested information Go to http://airport.ieee.org Sign in with your new Guest Web Account 4/12/2019
Agenda Items Tuesday/Wednesday, April 24-25 Welcome & Introductions Update and Approve Agenda Review and approve December Minutes IEEE Patent Policy Review Current Policy New Policy Effective 30 April 2007 2007 Meeting Schedule Update on TCG Update on INCITS CS1 Working Group Update on CC Vendors Forum Review of Action Items from December Meeting 4/12/2019
Agenda Items Tuesday/Wednesday, April 24-25 Discussion and Decision on DOS Threats Discussion and Decision on PP Format Smithson Proposal Nevo Proposal Topics from e-mail Roundtable with CC Labs/Consultants (9 AM on April 25) Document Review of PPs & PP Annexes Merged Document Review Other items Next meeting details Summarize and record action items 4/12/2019
Minutes from February Meeting Minutes were published shortly after the meeting. They are available at: http://grouper.ieee.org/groups/2600/minutes/P2600-minutes-Feb2006.pdf Any additions, deletions or corrections to the February minutes? 4/12/2019
Instructions for the WG Chair At Each Meeting, the Working Group Chair shall: Show slides #1 and #2 of this presentation Advise the WG membership that: The IEEE’s patent policy is consistent with the ANSI patent policy and is described in Clause 6 of the IEEE-SA Standards Board Bylaws; Early disclosure of patents which may be essential for the use of standards under development is encouraged; Disclosures made of such patents may not be exhaustive of all patents that may be essential for the use of standards under development, and that neither the IEEE, the WG, nor the WG Chairman ensure the accuracy or completeness of any disclosure or whether any disclosure is of a patent that, in fact, may be essential for the use of standards under development. Instruct the WG Secretary to record in the minutes of the relevant WG meeting: That the foregoing advice was provided and the two slides were shown; That an opportunity was provided for WG members to identify or disclose patents that the WG member believes may be essential for the use of that standard; Any responses that were given, specifically the patents and patent applications that were identified (if any) and by whom. 4/12/2019 (Not necessary to be shown) Approved by IEEE-SA Standards Board – March 2003 (Revised March 2005)
IEEE-SA Standards Board Bylaws on Patents in Standards IEEE standards may include the known use of essential patents and patent applications provided the IEEE receives assurance from the patent holder or applicant with respect to patents whose infringement is, or in the case of patent applications, potential future infringement the applicant asserts will be, unavoidable in a compliant implementation of either mandatory or optional portions of the standard [essential patents]. This assurance shall be provided without coercion. The patent holder or applicant should provide this assurance as soon as reasonably feasible in the standards development process. This assurance shall be provided no later than the approval of the standard (or reaffirmation when a patent or patent application becomes known after initial approval of the standard). This assurance shall be either: a) A general disclaimer to the effect that the patentee will not enforce any of its present or future patent(s) whose use would be required to implement either mandatory or optional portions of the proposed IEEE standard against any person or entity complying with the standard; or b) A statement that a license for such implementation will be made available without compensation or under reasonable rates, with reasonable terms and conditions that are demonstrably free of any unfair discrimination. This assurance is irrevocable once submitted and accepted and shall apply, at a minimum, from the date of the standard's approval to the date of the standard's withdrawal. 4/12/2019 Slide #1 Approved by IEEE-SA Standards Board – March 2003 (Revised February 2006)
Inappropriate Topics for IEEE WG Meetings Don’t discuss the validity/essentiality of patents/patent claims Don’t discuss the cost of specific patent use Don’t discuss licensing terms or conditions Don’t discuss product pricing, territorial restrictions, or market share Don’t discuss ongoing litigation or threatened litigation Don’t be silent if inappropriate topics are discussed… do formally object. If you have questions, contact the IEEE-SA Standards Board Patent Committee Administrator at patcom@ieee.org or visit http://standards.ieee.org/board/pat/index.html This slide set is available at http://standards.ieee.org/board/pat/pat-slideset.ppt 4/12/2019 Slide #2 Approved by IEEE-SA Standards Board – March 2003 (Revised March 2005)
New IEEE Patent Policy New Tutorial Slides New Working Group Slides 4/12/2019
2007 Meeting Schedule May 30-31 July 11-12 August 22-23 (Toronto?) At IEEE-USA Offices, Washington DC TCG on Friday, June 1st Location is TBD July 11-12 At HP Bellevue with TCG on the 13th Aligned with PWG (meeting 9th, 10th at Microsoft) August 22-23 (Toronto?) October 24-25 in Cupertino @ Ricoh TCG at same location on the 23th Dec 10-11th (Austin) 4/12/2019
Trusted Computing Group Update 4/12/2019
INCITS CS1 : Cyber-Security Update 4/12/2019
CC Vendors Forum Update Thrasher/Sukert 4/12/2019
Action Items from Previous Meetings Recorded at Meeting Don will e-mail schedule to list (sent 2/28) Ueda-san will mail slides on DoS to list (sent 2/26) Ueda-san will send document from IPA meeting (sent 3/16) Ron will develop and distribute alternative PP to the list (done) Invitations to Labs to come Piscataway – Pete & Brian (done) Invitation to NIAP to come to DC – Pete & Brian Review entries in P2600-action-items excel spreadsheet Current Spreadsheet 4/12/2019
Denial Of Service Threats Discussion Material was posted to the mailing list Decision 4/12/2019
New Organization of PPs Discussion of new Protection Profile Organization Smithson Proposal (document) Accept the concept Accept not putting networking functionality in the Common PP Discussed whether or not to change the threats/objectives/assets Create a mapping between old and new – AI: Smithson Must P2600 clause 10 exactly match the PPs except not in CC language? Perhaps things like DOS attacks are “should” requirements instead of “shall” requirements? Nevo Proposal (document) 4/12/2019
Issues raised on e-mail Topics from e-mail Is External Network Environment appropriate to set as asset for HCD? (Ueda email) Remove External Network as an Asset Use OSP and Architecture Evaluation (SAR) as the basis for requiring fax not bridge to LAN, etc. T.EA.Proxy would be addressed in the same way Bridging, i.e. a connection not mediated by the TSF, will be described as between the LAN and other external interface This does not mean an HCD is prohibited from, for example, having an application in the device that takes a print job coming in from the LAN and causing a fax to be sent. Consider using an SFR for flow control. 4/12/2019
Issues raised on e-mail Topics from e-mail Is the OS part of the TOE? (Sameer email) An ST would have to make the case that the OS is not security relevant and therefore does not need to be included in the evaluation. Classification of Management Data (Sameer email) If we use the new asset methodology, this issue is addressed but the definitions may need to be tweaked AI: Glen Petrie If we stick with the current definition, we will need to revise the definition of management data and separate what needs to remain secret from what does not. Probably(?) no need to “shred” mgmt data, i.e. take out O.Delete for mgmt data. Should a list of Management Data items that minimally need to be included be provided? 4/12/2019
Issues raised on e-mail Topics from e-mail Proposal to remove T.TSF.SW (in PP-a 24a) or T.SW.STORED.ALT (in P2600.1 26d) from PP. (Ueda email) Keep O.Genuine objective .. Power-on CRC check Downloading new firmware generally invalidates the certification Consider the firmware part of the configuration data so that any threats against management data apply to the firmware? Disk Salvage/Storage of Encryption Keys You really have store a root of the encryption keys in clear text somewhere. Don’t use terms like “easily removable” ... Be more specific 4/12/2019
Roundtable with CC Labs/Consultants Time Certain -- 9 AM, 25 April 4/12/2019
Document Review Drafts needing review Review any Comments Submitted Database comments Email comments Farrell email Merged Draft Version 26b (document) 4/12/2019
Document Reviews: Protection Profiles None Awaiting Family vs. Packages decision 4/12/2019
Other Items ? 4/12/2019
Project Schedule Base Document Protection Profiles 4/12/2019 Finish integrating clause 10 Put document on the shelf until path of PPs is clear Protection Profiles Will we create a Guide to the PPs? -- probably April Meeting actions/decisions DoS decision Structure of PPs Includes impact on threats list, assets, and objectives Eval Labs: Discuss potential Funding methodologies May Meeting actions/decisions Drafts of PP-B, PP-C and PP-D without SFRs/SARs SFRs and SARs complete for PP-A July Meeting actions/decisions Reflect PP changes back into P2600 Form P2600 ballot body All PPs: validate SFRs/SARs and threat/objective mapping tables and rationales Final PP Eval Funding Commitments Draft of Guide Aug Meeting actions/decisions Approve P2600 for sponsor ballot Process P2600 PAR extension request For P2600.1, .2, .3 and .4 ballot bodies Finalize Eval Lab plans Oct Meeting actions/decisions Approve PPs for sponsor ballot Send PPs to Labs for preliminary assessments Process Sponsor ballot comments on P2600 Dec Meeting actions/decisions Process Sponsor ballot comments on .1, .2, .3 and .4 Process any recirculation comments on P2600 4/12/2019
Next Meeting Details May 30-31 (Wednesday/Thursday) IEEE-USA Headquarters 1828 L St. NW, 12th Floor Washington, DC 20036 Wireless Internet access (Get an IEEE Web ID in advance) Parking in basement of building No fee for use of meeting room or LCD projector Breakfast and snacks -- $20-25 per day -- CASH ONLY No hotel arrangements have been made -- you're on your own!! Don’t forget the TCG Meeting on Friday, location TBD 4/12/2019
Next Meeting Location Map 4/12/2019
Action Items ? 4/12/2019
Back-up Charts BACK-UP CHARTS 4/12/2019
Paying for the PP Evaluations Benefits for paying for the PP evaluation (ideas) Company name/logo and acknowledgement of some kind on the PP cover sheets and/or on the PP certificate. Copyright license to freely use PP content. Joint press release or other PR activities with IEEE. Some kind of elevated acknowledgment (logos vs. no logo or whatever) on the P2600 standard. A discount from the eval lab for product evals based on P2600 PPs. A lab might like that to generate business. Only those contributing dollars have input into the selection of the eval lab, which PP’s get evaluated and the schedule/order of the PPs. 4/12/2019
Mailing List and Web Site Listserv run by the IEEE An archive is available on the web site Subscribe via a note to: listserv@listserv.ieee.org containing the line: subscribe stds-2600 Only subscribers may send e-mail to the mailing list. No Change 4/12/2019