[Cryptography Team] Common Criteria Documentation...

Ron Teitelbaum Ron at USMedRec.com
Wed Oct 18 01:34:34 UTC 2006 

Kyle,

Just to be clear, incase I'm missing something.  My understanding is that
there is a large amount of work that needs to be done to show that we meet
the criteria.  My interest right now is the tasks that need to be performed
prior to an actual validation.  If we decide on a platform and then run
through the validation tasks we can identify the holes in our system that
still need developing.  We don't need an actual secure platform to do the
validation until we are sure that we can pass the validation.  At that point
we can start working on setting up an actual implementation for a lab to
scrutinize.  

In my opinion we should be considering this pre-validation research, which
means we can loosen the actual requirements as long as we believe that we
can meet those requirements when the time comes to move to the next phase.

Does that make sense or am I missing something?

> -----Original Message-----
> From: cryptography-bounces at lists.squeakfoundation.org
> [mailto:cryptography-bounces at lists.squeakfoundation.org] On Behalf Of Kyle
> Hamilton
> Sent: Tuesday, October 17, 2006 8:08 PM
> To: Cryptography Team Development List
> Subject: Re: [Cryptography Team] Common Criteria Documentation...
> 
> I've updated it with my comments.
> 
> Since the system is written in itself (and runs inside itself), there
> are several things in the PP that require redesigning very large parts
> of the system.  We need at least one VM hacker on this list to
> evaluate the feasability of some of the needed changes.
> 
> Note: The current wiki system is probably not going to be sufficient
> for long-term usage.  Part of the EAL that we need to meet includes
> positive authorized user identification for all changes to the
> configuration... and since documentation (and an audit trail and
> history) will be a major part of proving our case to the assurance
> labs, I'm thinking that we should treat it as part of the
> configuration.  We'll need individual usernames and passwords for the
> modifications until we get X.509/PKI up and running, then we'll
> possibly be able to use PK crypto certificates for authentication.
> 
> I'll leave it up to Krishna to determine the actual policy and
> implementation, since he's got formal validation experience.  I just
> know what I've read in the CC PDFs and the single-layer OS/moderate
> environment document, and I'm interpreting it in the most secure (and
> most trust-pessimistic) manner that I can.
> 
> Here's hoping that we get at least one validation out of this in the end.
> :)
> 
> -Kyle H
> 
> On 10/17/06, Krishna Sankar <ksankar at doubleclix.net> wrote:
> > Have started to put the task list and notes in our cryptography Wiki
> page at
> > http://minnow.cc.gatech.edu/squeak/5776.
> >
> > For now, the cc information is at the end of the cryptography page. As
> we
> > add more details and get a fix on the organization, we can start a set
> of
> > new pages.
> >
> > Kyle, can you pl add your notes and observations ? Thanks.
> >
> > Cheers
> > <k/>
> >
> > > -----Original Message-----
> > > From: cryptography-bounces at lists.squeakfoundation.org
> > > [mailto:cryptography-bounces at lists.squeakfoundation.org] On
> > > Behalf Of Krishna Sankar
> > > Sent: Tuesday, October 17, 2006 9:46 AM
> > > To: Ron at USMedRec.com; 'Cryptography Team Development List'
> > > Subject: RE: [Cryptography Team] Common Criteria Documentation...
> > >
> > > > http://code.google.com/p/squeak-cc-validation/ = Validation
> > > > documentation, plan and test results, bug tracking.  This
> > > should not
> > > > hold code.
> > > <KS>
> > >
> > >       I would prefer to hold the validation documentation,
> > > plan and test results in a Wiki. That way we have built-in
> > > revision control as well as history tracking. In that sense
> > > the Google projects do not help us.
> > >
> > >       The bug tracking in Google projects is fine.
> > >
> > > </KS>
> > >
> > > > -----Original Message-----
> > > > From: cryptography-bounces at lists.squeakfoundation.org
> > > > [mailto:cryptography-bounces at lists.squeakfoundation.org] On
> > > Behalf Of
> > > > Ron Teitelbaum
> > > > Sent: Tuesday, October 17, 2006 9:34 AM
> > > > To: 'Cryptography Team Development List'
> > > > Subject: RE: [Cryptography Team] Common Criteria Documentation...
> > > >
> > > > I thought the idea was to us SVN for those documents?  If more is
> > > > needed let's just use the wiki that is part of
> > > > www.squeaksource.com/Cryptography
> > > >
> > > > It's not a full wiki in that it doesn't appear to support
> > > file uploads
> > > > but that what I thought the google source was for.
> > > >
> > > > Can we map out what our requirements are and what our current
> > > > resources are for meeting those requirements, then we can
> > > look at what
> > > > more we need.
> > > >
> > > > What I see is:
> > > >
> > > > www.squeaksoruce.com/Cryptography = Code Repository and limited wiki
> > > >
> > > > http://code.google.com/p/squeak-cc-validation/ = Validation
> > > > documentation, plan and test results, bug tracking.  This
> > > should not
> > > > hold code.
> > > >
> > > > cryptography at lists.squeakfoundation.org is our mailing list.
> > > >
> > > > Ron
> > > >
> > > > > -----Original Message-----
> > > > > From: cryptography-bounces at lists.squeakfoundation.org
> > > > > [mailto:cryptography-bounces at lists.squeakfoundation.org] On
> > > > Behalf Of
> > > > > Krishna Sankar
> > > > > Sent: Tuesday, October 17, 2006 11:11 AM
> > > > > To: 'Cryptography Team Development List'
> > > > > Subject: RE: [Cryptography Team] Common Criteria Documentation...
> > > > >
> > > > > Kyle,
> > > > >
> > > > >   Can you see if you have the SVN write access ?
> > > > > All,
> > > > >   Just as FYI, we need gmail address to become part of the Google
> > > > > project and it has no Wiki. Any thoughts on the Wiki for us to
> > > > > document the functionalities and the results of
> > > > development/testing ?
> > > > >
> > > > > Cheers
> > > > > <k/>
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: cryptography-bounces at lists.squeakfoundation.org
> > > > > > [mailto:cryptography-bounces at lists.squeakfoundation.org]
> > > > On Behalf
> > > > > > Of Kyle Hamilton
> > > > > > Sent: Monday, October 16, 2006 8:33 PM
> > > > > > To: Cryptography Team Development List
> > > > > > Subject: [Cryptography Team] Common Criteria Documentation...
> > > > > >
> > > > > > I found the Google Code project that Krishna started, and
> > > > uploaded
> > > > > > the Common Criteria documentation I found (in PDF
> > > > > > form) to it as an issue.
> > > > > >  Unfortunately, I don't have SVN write access, and I
> > > > don't know how
> > > > > > to get it either.
> > > > > >
> > > > > > After reading it, I realized that it /IS/ a good idea
> > > for anyone
> > > > > > starting on CC validation to read it before they start.  It's
> > > > > > important to realize what it is, and what the goals
> > > must be.  (As
> > > > > > well, it also helps customers -- that'd include you, Ron --
> > > > > > understand what the various validation levels are, and
> > > > compare them
> > > > > > to regulatory
> > > > > > requirement.)
> > > > > >
> > > > > > --
> > > > > >
> > > > > > -Kyle H
> > > > > > I speak only for myself.  I don't have the faintest clue about
> > > > > > anyone else.
> > > > > > _______________________________________________
> > > > > > Cryptography mailing list
> > > > > > Cryptography at lists.squeakfoundation.org
> > > > > > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cry
> > > > > > ptography
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Cryptography mailing list
> > > > > Cryptography at lists.squeakfoundation.org
> > > > >
> > > >
> > > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptograph
> > > > > y
> > > >
> > > >
> > > > _______________________________________________
> > > > Cryptography mailing list
> > > > Cryptography at lists.squeakfoundation.org
> > > > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cry
> > > ptography
> > > >
> > >
> > > _______________________________________________
> > > Cryptography mailing list
> > > Cryptography at lists.squeakfoundation.org
> > > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cry
> > ptography
> > >
> >
> > _______________________________________________
> > Cryptography mailing list
> > Cryptography at lists.squeakfoundation.org
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
> >
> 
> 
> --
> 
> -Kyle H
> _______________________________________________
> Cryptography mailing list
> Cryptography at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography

More information about the Cryptography mailing list