RE: Archive of CCIMB interpretations

["Bottomly, Ronald J." <RJBotto@missi.ncsc.mil>]

A bit of history, for what it's worth:
 
We on the CCIMB have been having difficulty with these as well, because of the different statuses to which we can assign RIs. We assign an RI to be "Incorporated" when its changes have already been implemented; this was typically done for methodology questions that came out before the CEM, but were then incorporated into that document. However, when the FLR Supplement came out, we had no fixed approach for those affected by it: they could have been considered Incorporated (into the supplement), Superceded (by the supplement), or Closed (because of the supplement). We classified them as Incorporated. However, when we were doing a final check of the FLR Supplement (v1.0), we discovered an error in the wording of the Specific Changes to the text in 94. So we fixed the wording in the Supplement (hence "v1.1") and re-christened RI 94 as Superceded. (In retrospect, we probably should have corrected 94 as well, but at the time we had no revision system to update final Interps).
 
So the claim that 2.2 is 2.1 + interps through 2003 is ALMOST correct. 2.2 is really 2.1 + interps through 2003 (except for 62, 92, and 94) + FLR Supplement v1.1
 
The Annotated version has never been official. I originally created it for my own use to keep track of the changes resulting from Interps, but others -- including the CCIMB -- found it useful and wanted each update, despite the fact that it was never without errors. (Since my Annotated version did not have the Supplement, I made the changes in it, included what would have been the corrected 094 if we had corrected it.)
 
If it's any consolation, the CCIMB has moved to XML. My understanding is that the block of text identified in the RI as being the changes comes from the same XML code that is used in constructing the CC (which can now be reconstructed with every batch of RIs), so the RIs and CC will not be out of synch; the RI-94 kerfuffle is therefore unlikely to happen again. 
 
 
SO, which is the version to use? 2.2 is as up-to-date as there is. 2.1 together with the FLR supplement and all the non-FLR RIs would be the next-most-up-to-date (although it does not exist as a single document, and it still has some minor editorials and typos that are fixed in 2.2). I think no one in any of the MR schemes would have a problem if either of them were used, considering that whatever version is used gets identified in the ST/PP. (I know several of them subscribe to this list, so I would expect them to correct me if necessary.)
 
The Annotated version is the least up-to-date, and it has no official standing, so I don't think it should ever be used as the identified version of the CC anyway.

Hope this helps.

~~Ron Bottomly
 

-----Original Message-----
From: Arnold, James L. Jr. [mailto:JAMES.L.ARNOLD.JR@saic.com]
Sent: Monday, August 02, 2004 9:36 AM
To: Multiple recipients of list
Subject: RE: Archive of CCIMB interpretations



While RI-094 seems to have existed and a historical record should be
maintained, it has been incorporated (along with a couple others such as
RI-062) into the flaw remediation CEM supplement as well as the
(unofficial?) annotated CC documents. As such, I would tend to think 62 and
94 are required since I believe the flaw remediation supplement is an
internationally agreed document to promote recognition of ALC_FLR
process/mechanism evaluations. 

Regardless, I believe that version 2.2 of the CC is official and even if an
earlier version of the CC is claimed in a PP or ST, unless the evaluation
started prior to that document it must effectively be held to that content.
So it becomes a question of whether they have taken the easy path of
claiming 2.2 conformance or have appropriately identified all the v2.1
changes (e.g., per interpretations). Note that there are a couple relatively
minor differences between the 12-31-03 annotated v2.1 CC documents and the
v2.2 documents, but it is unlikely that they would apply (unless, for
example, you are claiming ACM_CAP.5). As such, I think at least in the U.S.
you will find that the annotated version will be the standard against which
you will be judged.
 

> -----Original Message-----
> From: cc-cmt@nist.gov [mailto:cc-cmt@nist.gov] On Behalf Of 
> Paul Bicknell
> Sent: Friday, July 30, 2004 1:32 PM
> To: Multiple recipients of list
> Subject: Archive of CCIMB interpretations
> 
> 
> The archive of international interpreations has become 
> uncertain and needs to be clarified.
> 
> The original CC website was historically considered the 
> authoritative source for international interpretations.  When 
> that website went offline, CCEVS made the international 
> interpretations as of 2003-12-31 available on their website 
> (http://niap.nist.gov/cc-scheme/interpretations/index.html).  
> Now the new CC website is (more or less) online and again 
> provides international interpretations 
> (http://www.commoncriteriaportal.org/public/expert/index.php?menu=5). 
> 
> The issue is that the list of interpretations between these 
> sources is inconsistent, and it is not clear which list 
> should be considered authoritative.  The one inconsistency we 
> are aware of is RI-062, which is included in the CCEVS list 
> but not the CC list.  Other inconsistencies may exist.
> 
> Further complicating the issue are the annotated versions of 
> the CC documents provided on the CCEVS website 
> (http://www.niap.nist.gov/cc-scheme/PUBLIC/index.html).  Part 
> 3 of the annotated version for 2003-12-31 incorporates both 
> RI-062 and RI-094 for ALC_FLR.  RI-094 is not included in 
> either the CCEVS or CC list.
> 
> At least one PP is under evaluation and the official list of 
> international interpretations needs to be established so that 
> that evaluation can complete. 
> 
>              -Paul Bicknell
>               The MITRE Corporation
> 
> 
> 
> 
>