Monday, September 9, 2013

The first week in Orlando

Last week we attended the CCUF meeting in Orlando. 

This meeting is co-located with the bi-annual CCDB meeting and co-locating them allows the two organizations the opportunity for cooperation. Both groups operate in closed session but for the CCMC the members are the CCRA nation representatives while the CCUF membership includes representatives from the whole community, including the national schemes. The two organizations also arranged for some joint “de-briefing” meetings.

In addition to the formal sessions, of course a lot of discussion also happens during the breaks, and for quite a few of us at the joint “(Un) Happy” hour.

Gossip, rumors, and innuendo are always prevalent when two groups with different objectives are juxtaposed. Here are a few from the week:

If only…The atsec blog would go away”…  and … “Yay! for the atsec blog”  ;)

If only… We could solve the CCUF tea problem! 

A nice hot cup of teaTrivial? Perhaps this is a symptom; but how can the CCUF be a powerful organization if we don’t have a nice hot cup of tea? 

It's an important part of the process, accepted and enjoyed by the diverse peoples of many nations. Tea can be used to predict the future and, especially useful when discussing crypto topics, can also be used for  generating small amounts of finite improbability.

(I don’t know, perhaps the CCUF needs to be a legal entity before we can sponsor tea for ourselves?)

If only… The CCUF would represent the whole of the criteria-using community. Not just those working under one MRA (i.e., the CCRA) but also supporting those working under other mechanisms for applying the criteria such as SOGIS, commercial schemes, and even national applications – regardless of whether they use the CCDB’s CC or ISO/IEC 15408.

An observation from the Mobility Device working group: "The CCUF has just about zero direct representation from end users. This is fine (in theory) because the schemes may play the role of advocating for their end users. They don't here. At least, NIAP doesn't, who was clearly running this TC."

If only…We’d started developing cPPs ten years ago. Using this process we would have an agreed PP for secure floppy disks ready for use very soon now.

Does the CCMC realize that it takes at least 2-3 years for international organizations to achieve international consensus? While some TC's are being led to believe that once completed a PP can be approved in a few months (NIAP quoted 3-4 months from completion in the TC to publication during the MFP workshop today) the CCMC process can be expected to take much longer, with the complex national approvals and endorsements required by the formal process being developed as part of the USB TC. 

We must set expectations properly and communicate that in reality, following a formal process, it will take at least 5 years to produce a cPP.

In fact ISO’s JTC 1/SC 27 and the CCDB have an established special relationship, are we clever enough to leverage that relationship intelligently? Can we save some time?

If only… Key CCDB documents, such as the proposed new CCRA, could be open for CCUF members to review too. 
The CCUF has many very experienced members and offer potentially valuable contributions. Even though the CCUF will not be a signatory to the CCRA, the CCUF members are key stakeholders. 
Last week I heard from the MC chair that the new CCRA will be published without any review from the CCUF constituents. If these stakeholders have any issues, the CCMC may consider these for the next CCRA. – Wow!

If only… The good intentions, willingness to contribute and produce something good, enthusiasm and expertise that we find in the CCUF was not being eroded by confusing, changing, inconsistent policies, and delaying tactics from the CCMC.   
Here is one expression of opinion I heard: "There is not clear direction, everyone is concerned they will do work that won't be approved, and they constantly look around to see what others are doing to see if they comply with that, since there seems no clear directive on a way forward."
If only…  We understood the parameters and goals of the proposed iTC for “Apps on an OS.” That is obviously going to be one very busy iTC and will need some special management techniques.

By the way, is a virtualized OS also an “App on an OS” and will there be another sister iTC for “Apps not on an OS?”

Again, information on this proposal seems scanty, and I, for one, look forward to much more clarity from the CCMC on the scope of this item.

If only… The CCMC would adopt another message for the week other than “It is hard to co-ordinate 26 nations.” Yes, we got that. All the CCUF members I spoke with during the week agreed that it is hard to coordinate 26 nations.
Two points on this:

1. I would suggest that every time we hear this message next week we recall that some organizations have already worked this out, and have policies and procedures to deal with this problem in “reasonable” time-frames: Two examples: ISO (SC27 currently coordinates 68 nations) and ICAO (currently coordinates 191 nations). These organizations publish their procedures and it’s not easy for them either.
At least ISO’s JTC 1 process includes co-ordination with each national standards body. In turn many of these JTC 1 members include representatives from the vendor/developer community, whose expert contributions are solicited and respected.
Does the CCMC not try to learn from these mature organizations?

2. Developers working internationally also have to deal with this problem. They are selling products to a variety of national governments and have the unenviable task to understand the various regulations and policies of nations in order to develop and sell their products. That is not easy either.

If only… The CCMC paid attention to some of the project dependencies and communicated (estimated) time frames. Perhaps a simple Gantt chart might help the CCUF in their planning and coordination?
Example: New iTC’s cannot be formed until the iTC procedures and policies are complete, yet we seem to have already formed several TCs that may be put back at beginning once we know where the beginning is.

If only… The schemes paid proper attention to current weaknesses and threats.
Example: The Mobile PP requiring just TLS 1.0 rather than more recent versions that have been updated to address more recently identified weaknesses and threats.

(On this topic an interesting speculative blog article by Matthew Green, is here.) 

If only… The  national schemes would communicate between themselves more effectively.
Example: last week we heard from two major vendors in the OSPP workshops claim that a document containing "General-Purpose OS Cryptographic Requirements" had been provided to U.S. and Canadian evaluations back in April, but the OSPP pilot evaluation run by BSI has never been made aware of their existence, which shows some weird understanding of the cooperation in such pilot projects.

If only… There were no rumors…:
Next week we may find out if some are true…

  • A new certificate producing nation will be announced. (It is already announced on the CC Portal)
  • A new CCRA , as promised by the CCMC chair (this was announced at least a year ago in Paris) and the promise has been re-iterated this week.
  • Where will the conference be held next year?
  • Who is the missing Mickey?  

By Fiona Pattinson


    1. Your comments are always informative and entertaining, much more so than attending the conference. Keep it up!


    Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.