I apologize to the pkix list if the following is getting to be too off-topic, and would be happy to take it off list if anyone wishes. Francois, I agree generally with your critique of NIST's draft CIMC PP, in the sense that its authors probably made over-liberal use of creating new security functional requirements that are not in the CC, rather than using the SFRs available. They probably could have done a much better job of using the existing SFRs with creative use of legitimate operations (selection, assignment, iteration, and refinement). However, I disagree with the statement that "all these additional requirements would probably not be recognized through the mutual recognition." The MRA http://niap.nist.gov/cc-scheme/DownloadCCMRA.html does not recognize "requirements;" it does recognize CC evaluation certificates for PPs and IT products evaluated under the member national schemes. A proper use of custom or "explicit" SFRs and/or security assurance requirements (SARs) is most definitely provided for in the CC. For example, in CC part 1 paragraph 5.2 we have: "The CC recognizes the possibility that functional and assurance requirements not included in the provided catalogues may be required in order to represent the complete set of IT security requirements. The following shall apply to the inclusion of these extended functional or assurance requirements: ..." The exact CC requirements for SFR/SAR extension in a PP are further elaborated in the Annex B Specification of Protection Profiles. If done properly and justified in the PP/ST rationale, the use of explicit/extended SFRs in no way invalidates a PP or product evaluation. The PP/ST author does have the burden of justifying the use of any explicit (extended) requirements (which IMO the CIMC PP authors have failed to do in the current draft). Once a PP (even with explicit SFRs) has been successfully evaluated under one of the national schemes it's evaluation will be mutually recognized. Once a product with an ST claiming compliance to such a PP has been successfully evaluated under one of the national schemes it's evaluation will be mutually recognized. -GH FRousseau@chrysalis-its.com on 06/21/2000 12:09:18 PM To: Gene Hilborn/DEF/CSC@CSC cc: jean.med@arabtrust.com, ietf-pkix@imc.org Subject: RE: certification for pki Gene, However, the major drawback with the Certificate Issuing and Management Component (CIMC) Protection Profile (PP) sponsored/created by the (US) National Institute of Science and Technology (NIST) is that the current version still specifies about 25 new security functional requirements (SFRs) that are NOT included in the Common Criteria (CC)/ISO 15408 instead of using the refinement and/or the iteration operations on existing CC security functional requirements. In addition, all these additional security functional requirements from the NIST CIMC PP would probably not be recognised through the mutual recognition arrangement (MRA). Francois ___________________________________ Francois Rousseau Director of Standards and Conformance Chrysalis-ITS 1688 Woodward Drive Ottawa, Ontario, CANADA, K2C 3R7 frousseau@chrysalis-its.com Tel. (613) 723-5076 ext. 419 http://www.chrysalis-its.com Fax. (613) 723-5078 -----Original Message----- From: ghilborn@csc.com [mailto:ghilborn@csc.com] Sent: Wednesday, June 21, 2000 10:23 AM To: ietf-pkix@imc.org Cc: jean.med@arabtrust.com Subject: Re: certification for pki One internationally recognized avenue is an evaluation under the Common Criteria/ISO 15408. Such an evaluation up to EAL4 is automatically recognized by the (currently) nine mutual recognition arrangement countries. Two current problems are (1) that the CC itself does not contain a crypto module evaluation standard such as FIPS 140-1/2, and (2) there is not yet a consensus and evaluated Protection Profile for PKI components. Some product vendors have undertanen evaluations without PPs. FIPS 140-1 is officially US/Canada, but also widely recognized. There is a maturing draft PP sponsored/created by the (US) National Institute of Science and Technology, which offers a selection of four levels of assurance for certificate issuing and management components (CIMC). See http://csrc.nist.gov/pki/documents/. For specific crypto module validation, it references FIPS 140-1, but also includes all the other system security funcional and assurance requirements appropriate to CIMC. -Gene Hilborn jean.med@arabtrust.com on 06/21/2000 06:00:06 AM To: ietf-pkix@imc.org cc: (bcc: Gene Hilborn/DEF/CSC) Subject: certification for pki Hi, Is there any internationally accredited certification for PKI JeanTitle: RE: certification for pki
Gene,
However, the major drawback with the Certificate Issuing and Management Component (CIMC) Protection Profile (PP) sponsored/created by the (US) National Institute of Science and Technology (NIST) is that the current version still specifies about 25 new security functional requirements (SFRs) that are NOT included in the Common Criteria (CC)/ISO 15408 instead of using the refinement and/or the iteration operations on existing CC security functional requirements.
In addition, all these additional security functional requirements from the NIST CIMC PP would probably not be recognised through the mutual recognition arrangement (MRA).
Francois
___________________________________
Francois Rousseau
Director of Standards and Conformance
Chrysalis-ITS
1688 Woodward Drive
Ottawa, Ontario, CANADA, K2C 3R7
frousseau@chrysalis-its.com Tel. (613) 723-5076 ext. 419
http://www.chrysalis-its.com Fax. (613) 723-5078
-----Original Message-----
From: ghilborn@csc.com [mailto:ghilborn@csc.com]
Sent: Wednesday, June 21, 2000 10:23 AM
To: ietf-pkix@imc.org
Cc: jean.med@arabtrust.com
Subject: Re: certification for pki
One internationally recognized avenue is an evaluation under the Common
Criteria/ISO 15408. Such an evaluation up to EAL4 is automatically recognized
by the (currently) nine mutual recognition arrangement countries. Two current
problems are (1) that the CC itself does not contain a crypto module evaluation
standard such as FIPS 140-1/2, and (2) there is not yet a consensus and
evaluated Protection Profile for PKI components. Some product vendors have
undertanen evaluations without PPs. FIPS 140-1 is officially US/Canada, but
also widely recognized.
There is a maturing draft PP sponsored/created by the (US) National Institute of
Science and Technology, which offers a selection of four levels of assurance
for certificate issuing and management components (CIMC). See
http://csrc.nist.gov/pki/documents/. For specific crypto module validation, it
references FIPS 140-1, but also includes all the other system security funcional
and assurance requirements appropriate to CIMC.
-Gene Hilborn
jean.med@arabtrust.com on 06/21/2000 06:00:06 AM
To: ietf-pkix@imc.org
cc: (bcc: Gene Hilborn/DEF/CSC)
Subject: certification for pki
Hi,
Is there any internationally accredited certification for PKI
Jean