Report on the 13th International Common Criteria Conference, part 1
October 04 2012, 06:25 AM
One of the great honors of my job is representing CA Technologies at the International Common Criteria Conference (ICCC) which I have done every year since 2007. This year's conference was unique in that it had a set of "pre-conference" workshops setup with the help of the newly formed Common Criteria Users Forum (CCUF). In this blog I'll provide my view of the key events and activities that came out of the workshop and then I'll follow with a separate blog about the conference itself.
I'm thrilled that the CCUF was formed and that the Common Criteria Management Committee (CCMC) has so enthusiastically embraced working with the CCUF to enable change to the Common Criteria.
About 40 participants from industry, labs, consultants and academia participated in the workshop. It was broken up into a three day program:
- Day one's agenda included:
- A discussion on Collaborative Protection Profiles (CPP) led by Miguel Banon from Spain. The main output from that discussion was that we need a catalog of all the technical communities working on Protection Profiles, a challenging problem to say the least.
- How to handle innovation and Protection Profile development, which would seem on the surface to be an oxymoron. Essentially three of four cases will be handled on a Technical Community basis, with the fourth case not really being resolved (innovation that if shared will reduce a vendor's competitive advantage). I found this discussion to be a distraction, and not as critical as some of the other issues we tackled that week.
- Day 2 was essentially a bunch of breakout sessions:
- Key sessions included an update on the Supply Chain technical community, Defining the CPP Lifecycle Stages, and Evaluation of Products that are not appropriate for a Protection Profile
- I also led two sessions; one on The Open Trusted Technology Forum, and one about the Enterprise Security Management Technical Community
- Although I could not attend "Discussion on the Impact of the "No EAL" Strategy on the User Community and how it is Perceived by Consumers,"Matt Keller's notes posted on the CCUF portal suggest that session revealed the key is "Global Transition." In other words as long as the schemes all recognize the value of evaluations done with a specific EAL and educate acquirers that EAL does not equal better, then this strategy can work.
- Day 3 the CCDB joined the CCUF and we discussed our progress, recommendations and most importantly asked questions.
- Again we got another curveball from the CCDB asking us to look at "Fuzzing" (systematic vulnerability search) and how this could be repeatable by each lab. Most attendees didn't feel this was possible. In fact, a lab's vulnerability testing approaches is what makes it unique.
- We got to submit in advance some questions to the CCDB, and when they showed up, we had a lively discussion. The questions were
- International Technical Communities (TC) versus Single-Scheme TCs-essentially the point here is that some nations may have country specific reasons why they don't seek international recognition. What is important to the CCDB is one Technical Community per technology type.
- Acknowledgement of CCUF- a link will be posted on the CC portal and many of the schemes also agreed to do it.
- Next version of CC-minor.
I asked a question about how a TC can become a Collaborative Protection Profiles. David Martin (Chair of the CCDB) said I needed to write a letter to the CCDB and that they would vote on it. So for my ESM Technical Community that is exactly what we plan to do.
It looks like they want to try and do these workshops twice a year to be in sync with the CCDB meetings. In my next blog, I'll walk you all through the conference itself, and the big announcement we heard.
1 person has left a comment:
Leave a Comment
* An asterisk indicates a required field