in IT

CPL Should Be Renewed by the Updated CCRA

재미진 글이 하나 CC 사용자 포럼에 올라왔다. 아주 오래된 저 멀리 은하계 이야기처럼.

인증 제품 목록이 족보일리는 없다. 목록을 찾는 사람들은 아마도 보안에 관심이 있어 좋은 제품을 선택하고자 하는 사람들일 것이다. 그렇지만 목록은 갱신된 CCRA 조건을 반영한 업데이트가 필요하다.

An interesting article is posted on CC User Forum, starting with a story of a far far far away galaxy.

We know that CPL is not a genealogy note. It is for those who are looking for the product at their best choice for the interest in security. Unfortunately, the list need to revise according to updated CCRA conditions…

A long time ago in a galaxy right where we happen to be, the Certified Products List (CPL) on the Common Criteria Portal came into being.  It presents a one-and-only list of all the CC certifications performed worldwide by any lab in any scheme.

As of early March, the CPL includes >2200 certifications!  The list even includes EALs 5-7; how many people outside of the smart card community realize that?  In addition to the CPL itself, more than 1100 certifications are on the archived list.  Wait, there’s a list of archived certifications?  Yes, a link to it can be found near the top of the CPL.

Coming up on three years ago, the new CCRA was signed and a transition period began.  We think that period ends in September 2017, and mutual recognition under the CCRA will be limited to EAL1-2 and cPP conformance.  We believe a window is open when changes to the CPL may be proposed.  Proposed by who?  We don’t know, which is one of the points of this discussion.

From the beginning of 2015 to the beginning of March 2017 (roughly corresponding to the time since the new CCRA was signed), over 600 certifications have been completed, ranging from EAL1 to EAL6 plus “PP Compliant”.  We know this from the CPL.  Mutual recognition of half of those certifications are covered by the new CCRA, which means that the other half aren’t covered by the new CCRA.

All certifications are welcome on the CPL, and currently each scheme has control over whether and how their certifications are listed on it.  We think that the CPL is under the control of the CCDB.  We also think that schemes can propose CPL changes to the CCDB, and that these proposals could alter the scope of the CPL.  As an example, the CPL could be changed to no longer include higher-level EALs.

From what we can tell, the process for considering CPL changes in the CCDB is not well defined, and definitely not transparent.  We may not know about upcoming changes until they are implemented.  There does not appear to be any explicit mechanism for industry to be involved in the process.  Questions regarding the process have been submitted to the CCDB; hopefully we will learn more at the CCUF Workshop in Amsterdam.

We firmly believe that industry cares about the CPL.  We are concerned that industry will not have adequate input into proposed changes.

After giving the matter some thought, we identified four areas of possible change to the CPL:

  • Should certifications above EAL2 (outside the scope of the new CCRA) be included?
  • How will certifications against new-style PPs that are not cPPs be listed?  EAL1?
  • How can more details about PP-compliant certifications be included?
  • Should all certifications be subject to archival?

We want to stress that we are not aware of any changes to the CPL having been proposed by any schemes, nor are we saying that changes are going to be proposed.  We are not advocating for or against any specific changes.  Our goal is to raise awareness that changes might be proposed and to get interested parties involved in the process.  Once we know what that process is.

A session will be held on this topic at the CCUF Workshop in Amsterdam (Monday 2-4).  Since not everyone can attend the workshop, we are starting the discussion here.  The presentation we plan to use for the workshop session is attached.  It supplies more detail so please check it out.

If you care about the CPL then express your opinions, in this discussion or at the session or to the schemes.

Tom Benkart, Gerardo Colunga, Brian Smithson, Alan Sukert