Re: Categorisation of SFRs for the TOE and for the IT environment (flawed PPs)
Daniel P. Faigin wrote:
> On Fri, 2 Apr 2004 13:59:12 -0500 (EST), Pamela.Grannum@cse-cst.gc.ca said:
>
>
>>I think though, that the bigger impact is for US vendors who are trying to
>>show conformance to the PP. [...]
>
>
>>Anyway, we were told by the US to consult a 'precedent database' about
>>particular PPs, and any changes that they have had made to any PP's.
>
>
>>But, yes you are correct in some ways. I know in Canada that, having been
>>burnt by this PP issue, we now dont automatically recognize a US PP without
>>having a bit of a good think about it ourselves. And, to be blunt, we also
>>do a double check on any product that claims compliance to a 'flawed PP'.
>
>
>>Of course, the longer a PP is out there, the more likely someone will notice
>>problems with it. But how do you rescind a PP? I guess that is a Scheme
>>issue, and the US made their decision on how to handle it.
>
>
> Flaws in PPs are a big problem... and you are right... once one is out there,
> it can't be drawn back. The problem is that a lot of PPs got out there early,
> got out there as drafts, ... for whatever reason were made public with
> flaws. And the US, with a greater emphasis on PPs, has had a larger share of
> them.
>
> So what do you do with a flaw, especially a flaw that is caught after the PP
> is out there and being used in an ST? The US approach is to first figure out
> what was originally meant. We then try and capture that original intent in a
> PD, which serves to quasi-amend the PP until the PP is reissued. That's
> probably about the best one can do, but is certainly less than ideal
>
> So, yes, it is a problem. Are there other, better answers?
To err is human, to repair is divine. Apply Assurance Maintenance to it
to prevent re-evaluation.
> Does addressing
> flawed PPs need to be done in the CC itself?
No. This is a Scheme and/or CCRA issue.
Also note that at this moment, the CC is extremely unclear on what
"using a certified PP" exactly means. The intuitive notion is that you
can skip some ASE work units, but the CC/CEM do not support this idea.
DJ
I wonder what "Canada does not recognise a US PP unless.... " means. I
didn't know that individual schemes had the power to repudiate parts of
an international treaty formally executed between sovereign nations (the
CCRA). :)
--
TNO ITSEF BV
P.O. Box 96864 tel +31 70 374 0304
2509 JG The Hague fax +31 70 374 0651
The Netherlands www.commoncriteria.nl
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov