Re: Categorisation of SFRs for the TOE and for the IT environment (flawed PPs)

Subject: Re: Categorisation of SFRs for the TOE and for the IT environment (flawed PPs)
From: "Dr.Ir. D.J. Out" <out@itsef.tno.nl>
Date: Mon, 05 Apr 2004 15:47:38 +0200
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii; format=flowed
Organization: TNO-ITSEF BV
References: <7246F1C4915E1E4B874E62AE51E8F4F80264E2A1@broadsword.its.cse.dnd.ca> <16493.55148.956527.779@solarium.aero.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020408


Daniel P. Faigin wrote:
> On Fri, 2 Apr 2004 13:59:12 -0500 (EST), Pamela.Grannum@cse-cst.gc.ca said:
> 
> 
>>I think though, that the bigger impact is for US vendors who are trying to
>>show conformance to the PP. [...]
> 
> 
>>Anyway, we were told by the US to consult a 'precedent database' about
>>particular PPs, and any changes that they have had made to any PP's.  
> 
> 
>>But, yes you are correct in some ways. I know in Canada that, having been
>>burnt by this PP issue, we now dont automatically recognize a US PP without
>>having a bit of a good think about it ourselves.  And, to be blunt, we also
>>do a double check on any product that claims compliance to a 'flawed PP'.
> 
> 
>>Of course, the longer a PP is out there, the more likely someone will notice
>>problems with it.  But how do you rescind a PP?  I guess that is a Scheme
>>issue, and the US made their decision on how to handle it.  
> 
> 
> Flaws in PPs are a big problem... and you are right... once one is out there,
> it can't be drawn back. The problem is that a lot of PPs got out there early,
> got out there as drafts, ... for whatever reason were made public with
> flaws. And the US, with a greater emphasis on PPs, has had a larger share of
> them. 
> 
> So what do you do with a flaw, especially a flaw that is caught after the PP
> is out there and being used in an ST? The US approach is to first figure out
> what was originally meant. We then try and capture that original intent in a
> PD, which serves to quasi-amend the PP until the PP is reissued. That's
> probably about the best one can do, but is certainly less than ideal
> 
> So, yes, it is a problem. Are there other, better answers? 

To err is human, to repair is divine. Apply Assurance Maintenance to it 
to prevent re-evaluation.

> Does addressing
> flawed PPs need to be done in the CC itself?

No. This is a Scheme and/or CCRA issue.

Also note that at this moment, the CC is extremely unclear on what 
"using a certified PP" exactly means. The intuitive notion is that you 
can skip some ASE work units, but the CC/CEM do not support this idea.

DJ

I wonder what "Canada does not recognise a US PP unless.... " means. I 
didn't know that individual schemes had the power to repudiate parts of 
an international treaty formally executed between sovereign nations (the 
CCRA). :)

-- 
TNO ITSEF BV
P.O. Box 96864          tel +31 70 374 0304
2509 JG The Hague       fax +31 70 374 0651
The Netherlands         www.commoncriteria.nl

Follow-Ups:
- Re: Categorisation of SFRs for the TOE and for the IT environment (flawed PPs)
  - From: "Daniel P. Faigin" <faigin@solarium.aero.org>

References:
- RE: Categorisation of SFRs for the TOE and for the IT environment (flawed PPs)
  - From: Pamela.Grannum@CSE-CST.GC.CA
- RE: Categorisation of SFRs for the TOE and for the IT environment (flawed PPs)
  - From: "Daniel P. Faigin" <faigin@solarium.aero.org>

Prev by Date: Re: Categorisation of SFRs for the TOE and for the IT environment
Next by Date: Re: Categorisation of SFRs for the TOE and for the IT environment (flawed PPs)
Prev by thread: RE: Categorisation of SFRs for the TOE and for the IT environment (flawed PPs)
Next by thread: Re: Categorisation of SFRs for the TOE and for the IT environment (flawed PPs)

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov