Wednesday, October 19, 2011

Technical Communities as posed by the CCDB

The CCDB have posted on the CC portal a draft vision statement about technical communities and the development of Collaborative Protection Profiles (CPPs) and supporting documents.

There was much discussion at the last ICCC conference on this topic and since then I've had several discussions on the topic with a few of my CC community colleagues. I thought it might be useful to bring the discussion to a more public forum so that the thoughts and comments of others in the community can be added and heard. So please add your valuable comments. :)

The draft vision statement requests technical communities (TC) and acknowledges that a “Terms of Reference” needs to be in place without, so far, elucidating in too much detail about what precisely is expected. Such a TC will be responsible for developing and maintaining CPPs and their supporting documents for technology areas (yet to be decided) that can be used in evaluations under the CCRA by many nations. These documents will be approved by the CCDB by some formal mechanism.

To be successful the TCs will need to include representation of all the stakeholders related to the documents at least from the end-user communities, the vendors and integrators, laboratories, schemes, and even, perhaps, the CCDB itself.

As well as bringing together a community of technical experts, there are non-technical issues that need to be considered when developing such documents in such a community including how to deal with anti-trust, patents, copyright, intellectual property, and so on. These are not trivial considerations and especially in a multi-national setting need to be addressed by experts in that field if the risk of (expensive) problems are to be avoided. Although the CCDB/MB propose a governance structure it does not seem to extend to the provision of these services/practices to a TC, these are well established needs in the commercial world.

For this reason so far, none of my colleagues have suggested that a simple “clan gathering of technical experts”, such as the CCF or CCVF in the form that they have so-far existed is likely to be successful. Such a Technical Community must have global reach, provide legal support, and be capable of forming a relationship with the CCDB. Since the CCDB is expecting to provide some authority, or formal acceptance of CPPs from a TC, and proposes a governance structure within the CCDB for formalizing the acceptance of CPPs by the CCMB and even "appointing" a TC then that may need to be a formal relationship with a contractual type relationship between the two organizations.

One important consideration related to operating under an organization that provides these "meta services" to the development effort is that there is a direct cost associated with them. Administration of a global group, providing legal services and processing any issues that arise is expensive, and usually those costs are recovered through the membership in the form of membership fees, or by charging for the standards and documents produced. Also note that community that has stakeholders based internationally is likely to include international travel. Without a formal agreement between the CCDB/MB and the TC there is a risk that a significant investment by members of a TC could be lost.

Costs of participating are a factor for consideration and may end up effecting how smaller organizations can effectively participate. Consider also that for some stakeholders including laboratories, schemes and end-users that it may be necessary to participate in more than one technical community. There may be benefits of simplicity and cost if all Technical Groups are under one umbrella, but that may be a difficult goal to achieve if there are several independent TCs established.

So, we must consider that a TC is in fact developing standards that will be used in an international setting, and we observe that many of the established standards development organizations (SDO) may meet the needs stated above. There are several general SDO groups that might meet the requirements. ACM, IEEE, ISO, ITU, The Open Group, to name a few. Technology specific groups, for example ITU; The WiFi Alliance; and many others too numerous to mention, may also be considered.It might be the case that a combination or organizations meet the needs of the the CC community, but then the CCDB would need to develop relationships with several organizations.

We also need to consider the CCDB's requirements for such a community. Their draft vision statement says that such a community must have:

  • Terms-of-Reference (describing rules for membership, voting procedures etc) and regular liaison statements are needed;
  • Work in progress/intermediate outputs shall be open for all interested parties and will be referenced on the CC portal.

The success of the smartcard TCC cited by the CCDB is interesting. I'm wondering if someone has the knowledge to describe the characteristics of this group, and the factors that have made it successful. Has this group in fact faced some challenges? If so, what were they?

Below is a discussion of some of the attributes of a couple of groups that I know enough about to present. I'm not specifically promoting these but discussing the merits of each in the context of the TC model proposed by the CCDB may allow some further analysis about the CC communities approach to this problem.

I'm hoping that others may contribute a summary or comment about SDOs or organizations that they have knowledge of. Perhaps with this knowledge we can understand the landscape and opportunities for potential and effective technical communities.

ISO has a mature governance, structure, and mechanisms for dealing with issues of anti-trust, copyright, patents, IP etc.
  • ISO/IEC JTC 1/SC 27 WG 3, who are responsible for editing the ISO/IEC 15408 standard and whose terms of reference includes work such as Community Protection Profile (CPPs), already has a formal relationship with the CCDB.
  • An ISO standard (perhaps a CPP) can be formally adopted or not by each nation as a national standard, and carries a status of international recognition.
  • Many of the SDOs including national standard's bodies and SDOs such as The Open Group, IEEE etc are already represented and have the right to submit existing standards through the PAS or Fast Track procedures for consideration as International Standards.
  • It is an organization of which national standards bodies and liason organizations are the representatives rather than commercial organizations. Commercial organizations, vendors,laboratories etc would be represented at least once removed, and may not be easily represented in some countries where the national standards bodies are not comprised of commercial or stakeholders other than the government.
  • Unless a CPP is submitted as a PAS from a formal liaison organization or is agreed to be Fast Tracked might take 3-4 years to produce an approved, published document.

The Open Group
  • The Open Group has a mature governance, structure, and mechanisms for dealing with issues of anti-trust, copyright, patents, IP etc.
  • The Open Group operates on a consensus approach
  • The Open Group is able to flexibly configure a "forum" or various working groups that may meet the need for a Technical Community(ies).
  • The Open Group operates internationally
  • Many vendors from a variety of technology areas are already members.
  • It is an organization of which commercial organizations can be directly represented. It is Open to membership by vendors, government organizations, laboratories, end-users etc.
  • It already has a liaison relationship with ISO (and other SDOs), and could form a formal relationship with the CCDB, individual schemes, other MRAs etc.
This post is also mentioned in the Linked In Common Criteria professionals group.

by Fiona Pattinson


  1. Some years ago, Hardcopy Devices vendors started what amounted to a technical community as an IEEE Standards Working Group (under the IEEE Standards Association, or IEEE-SA). Working with schemes, labs, and consultants, we produced two validated PPs and vendors have been certifying conforming products (click on my name to visit the IEEE P2600 Working Group web site).

    IEEE-SA is an internationally recognized SDO, has a mature governance, structure, and mechanisms for dealing with issues of anti-trust, copyright, patents, IP, etc. There was no cost from IEEE to participate in the Working Group, and they provided some basic infrastructure support (mailing lists and web site).

    However, we faced two challenges:

    (1) The PPs were issued as IEEE standards and validated as PPs, so we had to merge the format, content, and approval requirements of two standards organizations into our work.

    (2) IEEE-SA is supported in part by the sale of IEEE Standards, and so we could not make the PPs freely available for reading or for derivative works (in this case, STs) without purchasing a license for those purposes from IEEE.

    In retrospect, a better choice may have been to use another SDO that operates separately but is affiliate with the IEEE-SA: the IEEE Industry Standards and Technology Organization (IEEE-ISTO).

    IEEE-ISTO also has a mature governance and all the rest, but unlike IEEE-SA, it gives its member programs more flexibility in setting their own operating policies, procedures, and membership pricing, and each IEEE-ISTO program owns the copyright on their work products and can make them available on their own terms.

    There is a cost to set up and operate an IEEE-ISTO program, but it is significantly less expensive than other SDOs. The cost depends on how much or little support is required from IEEE-ISTO.

    For example, the Printer Working Group is an IEEE-ISTO program that has been developing interoperability standards for many years. The total annual budget for the PWG is less than two corporate memberships in other SDOs like The Open Group.

    I think that IEEE-ISTO is worth considering for incorporating an individual technical community or an umbrella organization for multiple technical communities.

  2. I personally am not sure that PP development is developing a standard; I think of it as a spec under a standard. I am also not clear that legal protections are required. What does the Smart Card community have? What scenarios can we see where not having legal agreements and protections in place could create a problem? The ESM PP Community is almost finished with our Terms of Reference; it is very light weight and doesn't have legal protections or fees. It will be interesting to see if the CCRA recognizes our TC based on those TORs we author.


Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.