Common Criteria blogs

A summary of our communications on issues related to the CC

Newly Approved NIAP "collaborative Protection Profile for Network Devices"
A presentationof a comparison of the new NDcpp v1.0 to NDPP v1.1 Errata #3. 

Collaboration and openness to the rescue of entropy
Dr. Yi Mao calls for collaboration in assessing entropy

Vendor Viewpoints (from a Lab)
CC Lab manager, Ken Hake, gives a vendor's point of view

Dual EC_DRBG usage in evaluations
Some useful information from the atsec team

A Youthful Idiot's Take on the Common Criteria
by Jeremy Powell.

Riding the tiger
Staffan Persson summarises both the high-lights and low-lights of the 14th ICCC.

ISO's work related to Common Criteria
A short history of the relationship between ISO and the CCDB

The first week in Orlando
Fiona Pattinson reports on the CCUF meeting co-located with the CCDB meeting.

Marketing the CC: It's all about trust
Gerald Krummeck discusses some important aspects of marketing CC.

One year after the Vision Statement – What has happened in the meantime?
Helmut Kurth details his concerns in regard to the progress made in support of the CCMC's vision statement.

What I would like to hear (and not) at this years ICCC
Sal la Pietra looks forward to the 2013 ICCC.

A Eulogy for the Common Criteria Recognition Arrangement
A poignant thought about the CCRA. Something to think about ahead of this year's ICCC.

How long is a piece of string?
Some thoughts about project management and timing for CC projects.

Double Vision
This post, by Sal la Pietra, atsec's CEO, discusses the CCMC's presentation of the vision statement. There are concerns that it presented as a "done deal" when in fact there are many issues with the vision that need to be discussed by the community before it can be progressed to reality.

Collaborative PPs and the Oracle of Delphi
Helmut Kurth our CSO and laboratories director, visits the Oracle of Delphi in order to discover the best advice in regard to a PP usage model. Before too long he realises that in fact the work has already been done, several years ago and perhaps the community is to some extent re-inventing the wheel. 

Deep Thought on PPs
Following Helmut's advice on PPs Fiona Pattinson, Director of business development and strategy, buckles down and does some work to extract much needed information from the data we have about PP usage in the past and that can be used to inform decisions that we make about PPs. 

CC and the Development Of Security Requirements 
Staffan Persson, Head of our Swedish ITSEF and atsec's CEO in Europe, examines the development of security requirements, His point is that by restricting the assurance level of PPs and evaluations we risk loosing knowledge, skills and expertise in the community.

Programming the Evaluation Robot
Gerald Krummeck, Head of the German ITSEF looks at the use of tools and automation of evaluation. Is the concept of objectivity and repeatability being misunderstood? and what do we stand to loose if we blindly apply automated tools?
 
To PP or not to PP - Too Narrow a View?
Ken Hake, Head of the atsec U.S. Lab looks at the issues of cPPs and assurance levels referring to his interactions with our customers on the topic. Is it realistic to expect 26 nations to agree on a PP?

A Dragon or a Worm?
Dr Yi Mao, Deputy laboratory director with atsec US looks at the relationship between  EALs vs PPs. 

The Price to Pay
Rasma Mozuraite Araby's article "The Price to Pay" discusses some of the acquisition scenarios surrounding security assurance and how change may affect some of the acquisition costs of assurance consumers such as government departments. 

7 Shades of Grey
Stephan Müller discusses that the EALs represent a spectrum of testing from white box to black box. He builds on this with a discussion of open source software and asks if open source software will be better tested than proprietary software if labs are not able to have access to the source code.
 

Presentations and Papers

Quo Vadis Common Criteria, by Helmut Kurth.In this presentation Kurth attempts to predict the future based on an analysis of the past.

ICCC 2004
- Suggestions for a Framework for Composite Evaluations (together with Paul Karger from IBM)
- Kurth
 

ICCC 2006
- Applying the Draft CC Version 3.0 to Linux - Experience from a Trial Evaluation
- Modeling Security Functional Requirements
- Kurth 

ICCC 2007 (Rome)
- Operating System Evaluations - What security functionality is expected (Kurth together with Walt Farrell, IBM)

- Secure-System Design - Pattinson
- How to Eat a Mammoth : Experiences With the Evaluation of Complex Software Products Under the Common Criteria  - Krummeck (with Bill Penny, IBM)

ICCC 2008 (Korea)
- Integration of Architectural Requirements into the CC Structure (Kurth together with Susanne Pingel from BSI)
- Measuring the Effectiveness of a Security Development Process (Kurth together with Mike Grimm, Microsoft)

 
ICCC 2009 (Norway)
- An Attack Surface Driven Approach to Evaluations
- Kurth
- Evidence Based Evaluations - Chances and Challenges
- Kurth

ICCC 2010 (Turkey)
- Improving the Flexibility and Applicability of Protection Profiles
- Kurth

ICCC 2011 (Malaysia)
- Evaluating Third-Party Code: How can it be trusted?  - Cavness
- Fighting the bean-counters: Krummeck

An Access Control Model for Applications on Mobile Devices using Common Criteria Certifications - Hyunh, Kurth

ISO/IEC SC 27/WG 3:

ISO/IEC TR 15446:2009 Information technology -- Security techniques -- Guide for the production of Protection Profiles and Security Targets
(Editors: Nash, Kurth)

ISO/IEC TR 15443-1:2012  Information technology -- Security techniques -- Security assurance framework
(Editor: Pattinson)

ISO/IEC 15408-1:2009 Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 1: Introduction and general model
(Editor: Pattinson)