Guide to Reading and Understanding the P2600 Protection Profiles – Do we really need it?

1.Purpose

What is the need, potential content, timing and audience of a Guide?

Possible format:

  • Stand-alone document

As an IEEE Guide

As a non-IEEE document

  • FAQ style- published on a web site (maintained as we go—but only until a representative set of STs have been published and products certified))
  • Some sort of web forum (maintained indefinitely) which provides some FAQ information but also has some capability for moderated discussion groups. This would probably be for P2600 in general, not just for the PPs.

Vendor questions/answers

Customer questions/answers

IT professional questions/answers

Feedback/requests for future updates

Possible goals/questions to be addressed:

  • How to select which operational environment to have a product certified for?
  • How to construct an ST for various HCD configurations (partially-worked examples)
  • How to select which operational environment to specify a compliant product?
  • How to specify a P2600 compliant / certified product in your procurement specs

Suggested requirements/content for the document (as sifted through past Minutes):

  • [Jul2007]A place to describe the threats in detail
  • [Jul2007]Explain the differences between the environments and the related PPs
  • [Jul2007]Which PP should I certify against? How do it?
  • [Jul2007]As an end user, which environment should I specify?
  • [Jul2007]How do the models work and “go together”?
  • [Jul2007]Give guidance to customers who want to specify in an RFP
  • [Jul2007]An implementation guide for ST authors
  • [May2007] A guide to help with “the new model”
  • [May2007] A place where we could put examples without implying requirements
  • [Apr2007] A place to describe P2600-PP issues/ignored threats
  • [Apr2007] Explain the use of the PPs, including some worked examplessuch as how to use the PPs for particular configurations like printers, fax machines, MFPs
  • [Apr2007] A place for “ancillary information”
  • [Feb2007] Guidance about what PP to choose
  • [Feb2007] Guidance for two audiences: customers and vendors
  • [Feb2007] Guidance for evaluators on how to evaluate
  • [Feb2007] Guidance for security target writers and for end users
  • [Feb2007] A place to put “a lengthy description of MFP architecture”
  • [Dec2006] A place to include a PP threat table

Non-goals:

  • A Guide to understanding PPs in general

2.Recent Comment from Glen Petrie

From: Petrie, Glen
Sent: Tuesday, August 07, 2007 9:46 AM
To: Farrell, Lee
Subject: RE: A P2600 Protection Profile "Guide"

Lee,

As a quick response, the original division of documents made it very difficult to understand the overall picture - the reason for the guide. However, now, with the family document and etc, the guide may not be necessary.

If you have not noticed I have not been able to attend much lately --- this may be a good thing. It means, I can now review the latest documents, with familiarity but not the years of background, to determine if a guide would still be useful.

I will try to set aside time to do this.

glen.

3.Possibly Relevant References to “Guide” in Past Minutes

3.1July 2007

3.1.1

[P2600.1 (FPP-A) comments]

See comments:

  • Which document will describe threats in detail? [Yami]

More will be added to PPs

Also is a candidate for Guide to PPs [Wright]

3.1.2

Guide to P2600 PPs [Wright]

  • is there a need?
  • FAQ style- published on a web site? [Yami]
  • could keep the P2600 site alive but would need to reference in the paper documents and then maintain the web site
  • Glen Petrie wanted one to help understand the differences between environments and the PPs [Farrell]
  • this isn't a guide to PPs in general, there is already an ISO TR about that
  • what is Glen's question? which PP should I certify against? or how do it? or as an end user, which environment should I specify? [Haapanen]
  • how the models work and go together would be useful, but without telling them how to write an ST
  • there may be a need to give guidance to customers who want to specify in an RFP [Cybuck]
  • an implementation guide for ST authors could be useful [Sukert]
  • Lee will collect responses and we will consider whether to do one
  • maybe it will be sufficient to publish something temporary on the web site just to get vendors up to speed on P2600-based STs [Smithson]

3.2May 2007

3.2.1

[New model versus old model]

{There was some discussion about whether locked/mailbox/PIN printing was covered by the NVS PP or the DSR PP or not at all. The intention of NVS was that it only covers threats of removal/analysis of nonvolatile storage devices, and DSR only covers documents that are stored during one job for retrieval during a subsequent job (and possibly by a different user). }

  • I was asked how to handle mailbox printing and also job management data. Since the model is abstract, we really need a user guide to help with this model [Aubry]
  • That will help. If we make the model more specific, it could imply architectural or implementation requirements that we don’t want to require. Some of these issues are not a due to the new model, they are due to the division of functions that we have already adopted. A user guide would be a place where we could put examples without implying requirements. [Smithson]

3.3April 2007

3.3.1

Possibly not relevant

[INCITS update]

TR 15446 guide to PPs and STs is being revised, in 2nd WD

3.3.2

[Decision on DoS threat]

put an explanation in the document where other P2600-PP issues/ignored threats are put (such as in a guide to P2600 PPs)

3.3.3

If someone has a question about an IEEE PP, who do they ask? [Nevo]

  • The lab who validated the PP [Rogers]
  • Or they might contact a consultant [Keller]
  • But if there is a real inconsistency or issue, how would that be resolved? [Thrasher]
  • Officially, it is a scheme issue, or back to the P2600 group if there is a way to contact someone [Keller]
  • So they might first go to the scheme, then the lab, then the P2600? [Smithson]
  • Unlike other PPs, it may be easier to contact the PP author in the P2600 case. And there is a body of information in P2600 that isn’t available in most cases of PP development.

We are also considering creating another document, an IEEE Guide (not a standard) that would explain the use of the PPs. It could even have some worked examples, such as how to use the PPs for particular configurations like printers, fax machines, MFPs. We have the luxury of doing this because through the IEEE we have a place to publish this kind of ancillary information. [Smithson]

  • There is discussion of having a repository for PPs so you can easily find them {atsec is going to host this} [Persson]
  • The other way you can deal with problems in a PP is to make a note in the ST of what some part of the PP is not being followed, and it’s even possible for a scheme to say that all STs must address the same issue. [Persson]

3.4February 2007

3.4.1

[PP structure discussion]

A customer may be confused in some cases about what PP to choose, but at least in the PP-A and PP-B enviroment, we could provide some guidance in another document that helps the customer. This is something we discussed at IPA [Ueda]

I think that the guide document, suggested by Petrie, is a good idea and now that IPA and DAPS have brought it up also, there may be two audiences for such guidance: customers and vendors. [Smithson]

[PP structure discussion]

How would we tell evaluators how to evaluate this? [Wright]

  • Any combination according to the rules should be OK. But each PP should be evaluatable by itself. [Smithson]
  • Would there be any combinations that don’t work? [Wright]
  • I suppose that there might be, but that could be the case in a single PP with options. [Smithson]
  • Is there a naming convention? How do you know what the ST conforms to? [Wright]
  • Each PP has its own name and would be referenced in the ST by that name. {For example P2600.1-PRT is the print function PP for environment A.}

Any other opinions? [Wright]

  • When we visited IPA, they said that this structure is complex and would benefit from a guide [Uchiyama]
  • That would be a guide for evaluators, and we’d need one for security target writers and for end users [Wright]
  • That might be the case no matter how we structure these PPs. What we are trying to do is accommodate many kinds of TOEs, hundreds of possible products from dozens of vendors, in one PP or family of PPs. It is always going to be complex and would benefit from a guide [Smithson]

[PP-A 25d review]

The part of a PP which normally provides a “TOE Overview” is a little more difficult in a family structure. I needed to start out with a family overview and then proceed to give individual TOE overviews.

  • One of the example family PPs that we’ve been looking at (public key-enabled applications) has guidance for the evaluator; maybe we can use some of that [Wright]

The previous PPs had a lengthy description of MFP architecture. I tossed that out because I didn’t want to imply that all MFP functions were required, and I think that such information could be contained either in the main body or in the Guide document.

3.5December 2006

3.5.1

Main document structure [Wright]

  • potential structure

main clauses 1-10

guide to PP is p2600.1

PP-A is p2600.2

PP-B is p2600.3 etc

others can be added asynchronously

  • alternative

place the guide material in each PP as an appendix

  • the only problem I can see with the separate guide is that it won’t be published along with the PPs on commoncriteriaportal.org, but then again, other PPs don’t come with guides either [Smithson]

3.5.2

[Main clauses 24a review]

We also need to add T.DOS.FAX threats to PP threat table (when moved to Guide to PPs)

3.5.3

[Main clauses 24b review]

For the “guide to PPs”, Thrasher will extract text into an IEEE template [Wright]

We also need to recruit an author for Guide to PPs. Glen Petrie of Epson is considering it. [Wright]

3.6October 2006

3.6.1

Possibly not relevant

[Users/Subjects/Interfaces/Objects/Operations]

  • Presented an incomplete example of an entity model
  • Proposed that an example entity model be completed and used in examples in PP application notes.
  • The SFRs would not specify particular entities, but the application note examples would help guide the ST writer by demonstrating the intention of the PP SFRs.

3.7April 2004

3.7.1

Ohta-san said that the PP Guidance document, “Guide for the Production of PPs and STs, Version 0.93”

( is a good reference for helping to

create a Protection Profile and/or Security Target.

3.7.2

Possibly not relevant

There was some discussion about the external assumptions that can be made regarding the security

integrity of documents that “enter the system” from the hardcopy device’s perspective. It was noted that

the P2600 group needs to produce more than just a Protection Profile. The group also needs to provide

information regarding “Security Management” guidelines as well.

Page 1 of 6