P2600 Hardcopy Device and System Security March 2004 Working Group Meeting Don Wright Director, Alliances & Standards Lexmark International don@lexmark.com 4/25/2019
Agenda March 10, 2004 9:00 - 9:15 Opening, Intros, Attendance, Approval of Minutes 9:15 - 9:40 IEEE Patent Policy, Mailing List/Web, Action Items 9:40 - 10:00 Election of Vice Chair & Secretary 10:00 - Noon Requirements: Roles/Vulnerabilities/Exploitations Work Noon - 1:00 Lunch 1:00 - 5:00 Requirements: Roles/Vulnerabilities/Exploitations Work 5:00 Wrap up March 11, 2004 9:00 - 9:15 Opening. etc. 9:15 – 9:45 Future Meeting Plans 9:45 - 10:30 Presentation on the CC Process – Peter Cybuck (Sharp) 10:45 - Noon Content Outline Noon - 1:00 Lunch 1:00 - 2:30 Content Outline (Cont.) 2:30 - 3:00 Assign Sections to Authors/Editors 3:00 Wrap up 4/25/2019
Instructions for the WG Chair At Each Meeting, the Working Group Chair shall: Show slides #1 and #2 of this presentation Advise the WG membership that: The IEEE’s Patent Policy is consistent with the ANSI patent policy and is described in Clause 6 of the IEEE SA Standards Board Bylaws; Early disclosure of patents which may be essential for the use of standards under development is encouraged; Disclosures made of such patents may not be exhaustive of all patents that may be essential for the use of standards under development, and that neither the IEEE, the WG nor the WG Chairman ensure the accuracy or completeness of any disclosure or whether any disclosure is of a patent that in fact may be essential for the use of standards under development. Instruct the WG Secretary to record in the minutes of the relevant WG meeting: that the foregoing advice was provided and the two slides were shown; that an opportunity was provided for WG members to identify or disclose patents that the WG member believes may be essential for the use of that standard; any responses that were given, specifically the patents and patent applications that were identified (if any) and by whom. 4/25/2019 (Not necessary to be shown) Approved by IEEE-SA Standards Board – March 2003 (Revised Feb 2004)
IEEE-SA Standards Board Bylaws on Patents in Standards IEEE standards may include the known use of essential patents and patent applications provided the IEEE receives assurance from the patent holder or applicant with respect to patents whose infringement is, or in the case of patent applications, potential future infringement the applicant asserts will be, unavoidable in a compliant implementation of either mandatory or optional portions of the standard [essential patents]. This assurance shall be provided without coercion and prior to approval of the standard (or reaffirmation when a patent or patent application becomes known after initial approval of the standard). This assurance shall be a letter that is in the form of either: a) A general disclaimer to the effect that the patentee will not enforce any of its present or future patent(s) whose use would be required to implement either mandatory or optional potions of the proposed IEEE standard against any person or entity complying with the standard; or b) A statement that a license for such implementation will be made available without compensation or under reasonable rates, with reasonable terms and conditions that are demonstrably free of any unfair discrimination. This assurance shall apply, at a minimum, from the date of the standard's approval to the date of the standard's withdrawal and is irrevocable during that period. 4/25/2019 Slide #1 Approved by IEEE-SA Standards Board – March 2003 (Revised February 2004)
Inappropriate Topics for IEEE WG Meetings Don’t discuss licensing terms or conditions Don’t discuss product pricing, territorial restrictions or market share Don’t discuss ongoing litigation or threatened litigation Don’t be silent if inappropriate topics are discussed… do formally object. If you have questions, contact the IEEE-SA Standards Board Patent Committee Administrator at patcom@ieee.org or visit http://standards.ieee.org/board/pat/index.html 4/25/2019 Slide #2 Approved by IEEE-SA Standards Board – March 2003 (Revised February 2004)
Mailing List and Web Site Majordomo run by the IEEE An archive is available via the web site Subscribe via a note to majordomo@ieee.org containing the line: subscribe stds-2600 Only subscribers may send e-mail to the mailing list. 4/25/2019
Action/Information Items NIST finally responded to my request for participation but has no funding to participate. Microsoft has agreed to participate beginning with the May meeting. Article appeared in February 2004 issue of the Hardcopy Observer which contained several erroneous assumptions about our work. 4/25/2019
Election of Officers Chair: Don Wright, elected Feb 2004 Vice Chair 2 year term, eligible for re-election without limit Fulfills responsibilities of the chair in his/her absence. Secretary Records and publishes minutes Maintains voting membership list 4/25/2019
Slate of Officers Vice Chair Secretary Stefaan Deschrijver Lee Farrell 4/25/2019
Role / Vulnerability / Exploit Assignments 6 Roles were assigned to individuals Each person expanded list of vulnerabilities and exploits Could be more than just a bullet especially for more complex vulnerabilities and exploits All 6 distributed, via mailing list, their completed work last week. 4/25/2019
Role / Vulnerability / Exploitations Review consolidated document 4/25/2019
Day 2 March 11, 2004 9:00 - 9:15 Opening. etc. 9:15 – 9:45 Future Meeting Plans 9:45 - 10:30 Presentation on the CC Process – Peter Cybuck (Sharp) 10:45 - Noon Content Outline Noon - 1:00 Lunch (Siemens Room) 1:00 - 2:30 Content Outline (Cont.) 2:30 - 3:00 Assign Sections to Authors/Editors 3:00 Wrap up 4/25/2019
Schedule The PAR included estimates of the end-points of the schedule: Sponsor Ballot: June 2005 Submission to RevCom: Feb 2006 Meetings every 6-8 weeks Some aligned with other industry/standards meetings. Proposed Future Meetings March 10-11, location NY/NJ April 19-20, in conjunction with PWG in Washington DC June 2-3, tentatively Xerox, El Segundo, CA July 22-23, in conjunction with PWG, in Montreal September 1-2, location w/c August 19-20, with PWG in Montreal October 6-7, in conjunction with PWG, in Lexington KY November 18-19, in conjunction with PWG, San Antonio 4/25/2019
2004 PWG Meeting Schedule April 19-23: Washington, D.C. 19: P2600 20: P2600 21: Plenary / T.B.D. 22: WBMM 23: TBD May 24-28: Vancouver, BC 24: T.B.D. 25: WBMM 26: Plenary / T.B.D. 27: 28: August 16-20: Montreal, Canada 16: T.B.D. 17: WBMM 18: Plenary / T.B.D. 19: P2600 20: P2600 October 4-8: Lexington, Ky 4: WBMM 5: Plenary 6: P2600 7: P2600 8: T.B.D. November 15-19: San Antonio 15: T.B.D. 16: WBMM 17: Plenary 18: P2600 19: P2600 4/25/2019
Presentation Common Criteria Process – Peter Cybuck (Sharp) 4/25/2019
Content of Standard Profile based on CC Rationale supporting the profile is based on work done on Role/Vulnerabilities/Exploits “Extension” of CC to cover hardcopy unique areas (e.g. output bin locks) 4/25/2019
Content of Standard IEEE standards include but are not limited to: Lists of terms, definitions, or symbols, applicable to any field of science or technology within the scope of the IEEE. Expositions of scientific methods of measurement or tests of the parameters or performance of any device, apparatus, system, or phenomenon associated with the art, science, or technology of any field within the scope of the IEEE. Characteristics, performance, and safety requirements associated with devices, equipment, and systems with engineering installations. Recommendations reflecting current state-of-the-art in the application of engineering principles to any field of technology within the scope of the IEEE. IEEE standards are classified as: Standards: documents with mandatory requirements. Recommended practices: documents in which procedures and positions preferred by the IEEE are presented. Guides: documents in which alternative approaches to good practice are suggested but no clear-cut recommendations are made. Trial-Use documents: publications that are effective for not more than two years. They can be any of the categories of standards publications listed above. 4/25/2019
Content of Standard CSPP - Guidance for COTS Security Protection Profiles (http://csrc.nist.gov/publications/nistir/ir6462.pdf) Introduction – D.W. TOE Description – J.T. Security Environment (Multiple environments) – P.C. Security Assumptions Organizational Policies Role/Vulnerabilities/Exploitations – S.D. Security Objectives – B.V. Functional Security Requirements Assurance Requirements Appendix TOE Functional Requirements Details TOE Assurance Requirements Details IT Environment Functional Requirements Other Security Consideration Encryption Certification (FIPS in the US) System Considerations 4/25/2019
Content of Standard Is there one and only one profile or is there a way to divide or segment the profile? A profile could have objectives that are based on the security environment. Increasing objectives for increasing security risk. The profiles could then be broken down into categories (network, harddisk, etc.) where the security objectives are conditionally mandatory. (Requires some degree of modularity within the device.) Try to get people from NIST/NIAP to attend and present at the Washington DC meeting on the viability to this approach to creating a protection profile. 4/25/2019
Assignments Proposals for what to include from Common Criteria – deferred until the draft work is underway. 4/25/2019
Document Editor(s) Create drafts Publish on web site Respond to comments Maintain change history Volunteers: Brian V. Jerry T. Ron Bergman Stefaan DeSchrijver 4/25/2019