Monday, August 19, 2013

What I would like to hear (and not) at the next ICCC...

After 13 years, the International Common Criteria Conference (ICCC) returns to the U.S. The first three-day conference took place at the Baltimore Convention Center on May 23-25, 2000. It looks like almost the end of a cycle. In the year 2000, information assurance and use of the Common Criteria standards was firmly on the agenda of all stakeholders: government agencies, vendors, and users.

The need for mutual recognition was strongly voiced and recognized, serving as a key driver for the development of the standards, and one of the core principles for Common Criteria.
Thirteen years later, the community includes 16 certificate issuing nations and a further 10 consuming nations that have subscribed to the principles of the CCRA. Close to 80 vendor companies have registered with the CCUF, and nearly 2,000 certificates have been issued under the auspices of the CCRA.

The establishment and management of something like the CCRA is ambitious. It is a difficult task to lead the management of such an arrangement between nations, which requires supervision of proposed improvements and redefined procedures
During the years following 2000, we have seen opinions on information assurance changing, but throughout this change, all of the stakeholders agreed that it was important to keep the structure intact.

"Change your opinions, keep to your principles; change your leaves, keep intact your roots."

-Victor Hugo

Although the Common Criteria standard has evolved over the years, the last
real change happened more than five years ago. Today, what is at stake are the basic principles

the roots of the Common Criteria standard. 

Did the CCRA fail?

What I would NOT like to hear at the ICCC this year:

I would not like to see and hear just a "Dog and Pony Show," as David Martin (the CCDB chair), called his duet with Dag Stroman (the CCMC chair), during the certificate handover ceremony at a circus in Paris. This year in Orlando, the ICCC should avoid a "Goofy and Donald Duck Show," and we certainly do not want or need a Mickey Mouse standard.

An old chair
What I want is a presentation of the progress of the standard and the CCRA framework accompanying it, instead of another content-free presentation from David Martin in his role as the CCDB chair
For example, I recall a presentation from David Martin summarizing all the problems that CC Version 4 was going to address. Those problems have been brought up by labs and vendors for many years, and yet the CCDB has not addressed a single one of those problems in the vision statement. Have those problems magically disappeared because of the "vision?" Is there no longer a need to address the problems identified over the years, just because some people have had a "vision?"

Last year, during the ICCC presentation titled "Common Criteria in 5 years," the only message I remember is David Martin's opinion that he and Dag Stroman wouldn't be there in 5 years! I am sure this can be achieved without waiting so long!

What I would like to hear about at ICCC: 

I would like the CCMC chair, Dag Stroman,  to say something representative of all of the CCRA members and not just for the same few schemes, and I would like the CCDB chair, Dave Martin, to be open and transparent about how the standards are being developed.

Where are we heading with the standard and the future of mutual recognition through the CCRA?

We want to know, and we are paying to know. I think, after 13 years, the CCDB owes us a correct interpretation of the true direction of mutual recognition through the CCRA.

Although I speak for a lab, it is not just the business of the labs at stake; the vendors need to know what they have to do, whether they need to evaluate once or more than once, and if so, where and using which standard?
This is a key point for the various signatory nations too, as they refine their national policies and strategies.

What is the status of the CCRA? 
We need to know. Please be honest and transparent.

The UK is doing CPA; is this recognized by the CCRA? Is CPA a UK-only thing, or is it recognized in the U.S., Canada, and Australia? The labs should know if they need to set up shop in the UK, and the vendors need to know if they have to pay for a special evaluation in the UK, and why.

(correction 2013-09-02)

India is asking for telco equipment to be evaluated only by Indian labs! However, their policies go beyond telecommunication equipment to require even the operating system or database used for accounting—just because they are used in a telco product—to also be evaluated by the Indian lab, even if they have been previously evaluated already.

India is asking for telco equipment to be evaluated only by Indian labs using ISO/IEC 15408 - technically outside the CCRA scope, but certainly outside the spirit of the CCRA. Their policies go beyond telecommunication equipment to even require that operating systems or databases used for accounting also be evaluated by an Indian lab  just because they are used in a telco product; even if they have been previously evaluated already.
(correction 2013-09-02)

These are just two examples of how "old" and "new" schemes are trying to change the roots of the Common Criteria standard and CCRA, in direct opposition to the principles that the users, vendors, and countries originally subscribed to. 

How do scheme-specific technical communities vs the international technical communities affect the development of cPPs?

What about SOGIS? 

How about a summary of real-world policies on mutual recognition from each of the schemes?

Where are we with the cPPs?

Dag Stroman said last year that, "cPPs are like French wine, the older they get the better they become."

The problem is that we are still waiting for the grape harvest to take place! Of course, with good wine there are bad years, and good years and much depends on the quality of the grapes. Not every wine is good, even after waiting several years. If we are using this metaphor for cPPs, I would also make the observation that a good, vintage French wine is expensive, and sometimes very expensive.

Vendors, Labs, and People
The vendors too should come out and be heard! Continuing this dance with the different schemes is not helping. Complying with sixteen different cheap, low-assurance schemes is unlikely to be cheaper or quicker than complying with one good one.

If the main objective of the vision is to put the labs out of business and/or put a number of information assurance professionals out of a job, the vision is succeeding! 

The vision does not take into account the people who have devoted their careers to information assurance. They are not in this field  to get rich, they are in it because they believe in it and they will continue to stay around and come together. We now have a chance to direct all our efforts in the right direction under one umbrella. Once the umbrella is gone, anything can and will happen.


A last message to the "Visioners," from the business side: the CC validation business is down heavily and the trend is downward. However, what is more disappointing is to be unable to guide our customers on what to do, how to do it, and particularly, how to avoid being "blackmailed" from various schemes into doing something more or something local. The vision promised cPPs developed by a Technical Community that would solve the problems. But so far the CCDB is still struggling over the criteria just to allow a Technical Community to be accepted by the CCDB. Being unable to solve this fundamental  prerequisite within a year does not give me much hope that the "vision" is anything more than just an illusion.

If you want the vision to succeed, then you need to plan on how to do this without killing the golden goose!

With this in mind, I will end with a quote from the inventor of Mickey Mouse: "All the adversity I've had in my life, all my troubles and obstacles, have strengthened me... You may not realize it when it happens, but a kick in the teeth may be the best thing in the world for you." -- Walt Disney


1 comment:

  1. The expression "death by a thousand cuts" comes to mind.

    If you take out all the countries with local requirements, the business case for an EAL4 becomes hard to justify.

    I think that CC had reached a level where our customers were gaining a lot of value. We provide a TOE compliant with PPs for traffic filter firewall, application level firewall, IPS, a cryptographic implementation to the highest recommendations NIST SP800-131A for cryptographic strength, high availability with clustering and hardware redundancy, remote access with IKE/IPSec and SSL, remote management. We have included virtualization as claimed security functionality for our Security Gateway and Security Management, and withstood AVA_VLA.3.

    The cPPs are early days. With only 3 certifications complete I would not call it ready for prime time. But then the goal of consistency between evaluations is not aligned to ours which have been to certify a full featured and useful security solution that can be deployed in the evaluated configuration.


Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.