Docstoc

P2600-action-items-current

Document Sample
P2600-action-items-current Powered By Docstoc
					                                                                                                                                                                                                  Status
                                                                                                                                                                                               A=abandoned
                                   Planned date   Actual date       Assignee                                                                                                                    C=complete
Action                Original          of            of         [ -> others to              Sectio                                                                                              H=on hold
Item #   Entry date   Due date      completion    completion     do the same]     Clause     n      Action                                                                                       P=partial   Disposition
  507    4/30/2009                                 2/26/2010    Smithson/Nevo      PP-A             Get a copy of the final atsec evaluation report without confidential markings                    C
  531    2/19/2010                                                  Smithson       PP-B             work with atsec and BSI to get certification after 2600.2 is published                           P       in process
  532    2/19/2010                                                   Wright        PP-B             work with IEEE to get 2600.2 added to the GetIEEE2600 web page                                   P       in process
  533    2/19/2010                                 2/22/2010         Sukert        Guide            add new section 1.5 with participant (from 2600.1) and Editor credits                            C
  534    2/19/2010                                 2/26/2010        Smithson      web site          put a link to an unprotected PDF of the Guide on the 2600 home page, left pane, and              C
                                                                                                    also add links under Related Documents on the home page and "how to obtain" page

 535     2/19/2010                                 2/19/2010       Smithson       web site           update the references to 2600.2/3/4 with "approved" status and date suffixes                   C

 536     2/19/2010                                 2/21/2010        Sukert         Guide             send final draft to attendees of meeting #49 for one last check                                C
 537     2/19/2010                                 2/26/2010       Smithson        Guide             place final DOC version of the Guide in the protected techdocs area                            C



                                                                                                COMPLETED ITEMS APPEAR BELOW:
 530     12/17/2009   1/15/2010                                     Sukert         Guide           modify text about USB interfaces per Dec minutes (page 5)                                        C
 529     12/17/2009    1/8/2010                    2/19/2010       Smithson        Guide           contact Helmut about the FPT_FDI_EXP example to resolve                                          A        WG decided to use the example, as
                                                                                                   comment #7                                                                                                is
 528     9/30/2009    10/18/2009                  10/18/2009        Wright        PP-B/C/D         submit to RevCom for December 7-9 approval                                                       C
 527     9/30/2009    10/5/2009                    10/2/2009        Wright        PP-B/C/D           arranged for WG vote by mail and recirculation                                                 C
 526     9/30/2009    10/3/2009                    9/30/2009       Smithson       PP-B/C/D           prepare find docs and diffs for WG vote, recirculation RevCom                                  C
 525     9/11/2009    10/11/2009                   10/2/2009        Wright                           draft a new PAR for 2600.1 revision to use NIAP "tailored assurance requirements"              C
                                                                                                     and set up a WG email vote (submit to RevCom by 10/19)
 524     9/11/2009    10/9/2009                   10/17/2009        Sukert         Guide             work out September guide comment #109 with Smithson                                            C
 523     9/11/2009    10/9/2009     12/1/2009      12/2/2009        Sukert         Guide             resolve September guide comment #105 by asking for clarification from Helmut and               C
                                                                                                     propose a resolution with Carmen and Alan
 522     7/31/2009     8/3/2009                    8/3/2009        Smithson        PP-A              re-draft response to NIAP's EAL2 change request and send on 8/4                                C
 521     7/31/2009                                 12/2/2009        Sukert         Guide             draft something about the USB interface/drive comment from NIAP                                C
 520     7/31/2009                                 8/6/2009        Smithson        Guide             re-draft section 6.6 page 54 lines 34-44                                                       C
 519     7/31/2009                                 9/29/2009       Smithson        PP-B              check with atsec on current status of BSI validation                                           C        estimated completion: end of
                                                                                                                                                                                                             October (2009 :-)
 518     6/22/2009                                 9/30/2009       Smithson       PP-B/C/D           update PPs with revised scope/purpose from revised PARs                                        C
 517     6/22/2009                                  7/1/2009        Wright         general           post revised PARs for 2600.2, 2600.3, 2600.4                                                   C
 516      5/1/2009     6/1/2009                                     Sukert          Guide            add text somewhere in clause 5 according to response to JBMIA comment #6 in April              C
                                                                                                     2009 minutes
 515      5/1/2009     6/1/2009                                     Sukert         Guide             add text to 5.2.2.7.1(d)(1)(iv) according to response to JBMIA comment #5 in April             C
                                                                                                     2009 minutes
 514      5/1/2009     6/1/2009                                     Sukert         Guide             add text about ALC_FLR.2 according to response to JBMIA comment #4 in April                    C
                                                                                                     2009 minutes
 513      5/1/2009     6/1/2009                                     Sukert         Guide             add text to 5.2.2.3.1 according to response to JBMIA comment #3 in April 2009                  C
                                                                                                     minutes
 512      5/1/2009                                                JBMIA reps       Guide             provide clarification for JBMIA comment #2 regarding external authentication                   C        no further questions or requested
                                                                                                                                                                                                             changes from JBMIA at this time

 511      5/1/2009     6/1/2009                    6/1/2009         Sukert         Guide             Add to the international section text that reminds the ST Author that some schemes             C
                                                                                                     have different rules on defining the TOE boundaries. However, any security relevant
                                                                                                     component addressed in the PP or ST must be included in the TOE.

 510      5/1/2009     6/1/2009                                  Sukert/Aubry      Guide             check with atsec to see if FDE disks meet the requirements of FPT_CIP_EXP.1.2                  C

 509      5/1/2009                                              Wright/Thrasher    general           Resolve June versus July meeting date and location                                             C
 508     4/30/2009                                 6/1/2009         Sukert          Guide            Have a draft of the Guide by June 1.                                                           C
 506     4/30/2009                                              Smithson/Wright     PP-B             Work with atsec to complete application to BSI to get PP-B validated                           C
 505     3/19/2009     4/9/2009                    3/23/2009         Nevo           PPs              negotiate with IEEE to get expedited publishing of 2600.1 for around $3000                     C
 504     3/19/2009    3/27/2009                    4/29/2009       Smithson        general           update schedule with revcom date at SA ballot period                                           C
 503     3/19/2009    3/27/2009                    3/30/2009        Sukert          guide            update and post new draft of PP guide based on approved comments                               C        done in 43a
 502     2/19/2009    2/27/2009                    3/18/2009       Smithson        general           update and publish project schedule                                                            C        posted
 501     2/19/2009     3/5/2009                                     Wright         general           get permission to publish draft standards after submitting them to RevCom                      A        they said no
 500     2/19/2009     3/5/2009                                     Wright         general           set up email alias and closed mailing list for PP inquiries                                    C        stds-2600.1, etc.
 499     2/19/2009     3/5/2009                                     Wright         general           obtain details about how the PPs will be made downloadable by IEEE                             C        similar to
                                                                                                                                                                                                             http://standards.ieee.org/getieee80
                                                                                                                                                                                                             2/
 498     2/19/2009     3/5/2009                    3/30/2009        Sukert         guide             obtain and place text indicating that TOE software is an example of TSF Protected              C        done in 43a
                                                                                                     Data
 497     2/19/2009     3/5/2009                                     Sukert         guide             obtain and place text representing 2600.4 recirculation #1 comments 1 and 2                    C        I added the requested text for both
                                                                                                                                                                                                             comments 1 and 2
 496     2/19/2009     3/5/2009                                     Sukert         guide             obtain and place text representing 2600.3 recirculation #1 comments 2 and 1                    C        I added the requested text for both
                                                                                                                                                                                                             comments 1 and 2
 495     2/19/2009     3/5/2009                    3/30/2009        Sukert         guide             obtain and place text representing 2600.2 recirculation #1 comments 7, 8, 3, 10, 2, 5,         C        done in 43a
                                                                                                     11, 6, 4, and 9
 494     2/19/2009     3/5/2009                    3/30/2009        Sukert         guide             obtain and place text representing 2600.1 recirculation #1 comments 7, 8, 3, 10, 2, 5,         C        done in 43a
                                                                                                     11, 6, 4, and 9
 493     2/19/2009     3/5/2009                                     Wright         general           send an additional funding request to the original set of companies who funded the PP          C        email sent about this
                                                                                                     evaluation effort
 492     12/12/2008    2/5/2009                    9/11/2009        Sukert         PP-E              work with Harry Lewis to get a core group established and then look at getting a PAR           A        Harry Lewis has been reassigned
                                                                                                     for a new project                                                                                       off of P2600, Alan will take up the
                                                                                                                                                                                                             task
 491     12/12/2008   12/19/2008                   2/6/2009        Smithson         PPs              update PP eval schedule (remove old stuff, add additional RevCom milestones, show              C
                                                                                                     final IEEE publication 3-6 months from approval)
 490     12/11/2008    2/5/2009                    1/21/2009       Smithson        PPs               update drafts according to approved comments from Plantation meeting                           C
 489     12/11/2008    2/5/2009                                    Smithson        PP-B              correct NVS package in PP-B -- should apply only to TSF Data                                   A        cannot do this, because we cannot
                                                                                                                                                                                                             make an exception in one area that
                                                                                                                                                                                                             we don't in another (User Data is
                                                                                                                                                                                                             protected elsewhere)


 488     12/11/2008    2/5/2009                    1/14/2009       Smithson         PPs              fix heading/text problem in PP-A (and others?) around clause 18.2                              C
 487     12/11/2008   12/12/2008                   1/23/2009       Smithson         PPs              ask atsec about scope of I&A audit items (includes logout?) and relationship with audit        A        PP has been approved as is
                                                                                                     item for SSL.3
 486     10/24/2008   11/27/2008                   12/4/2008       Smithson        PPs               implement approved comments into drafts 39b to make draft 40b                                  C
 485     10/24/2008   11/27/2008                   2/10/2009        Nevo           Guide             ask atsec about the appropriate escalation path for questions about a PP (see                  C        to be presented in Hawaii
                                                                                                     October comment #46)
 484     10/24/2008   10/31/2008                   12/4/2008       Smithson         PPs              update evaluation schedule to reflect a January certification date                             C
 483     10/24/2008   11/27/2008                  11/21/2008        Sukert          PPs              propose some discussion/rationale for SARs to be put in the PPs (see October                   C
                                                                                                     comment #15)
 482     10/24/2008   10/31/2008                   12/4/2008       Smithson         PPs              start an email thread about requiring or recommending the management and audit                 C
                                                                                                     items suggested in the ECDs of the NVS and SMI packages (see October comment
                                                                                                     #12)
 481     10/24/2008   10/31/2008                  11/13/2008       Smithson         PPs              start an email thread about consolidating data access control SFPs in the packages             C
                                                                                                     and removing the SFP table from the common PP (see October comment #4)

 480     10/24/2008   10/31/2008                  11/13/2008       Smithson         PPs              start an email thread about D.FUNC refering to Jobs instead of Documents (see                  C
                                                                                                     October comment #13)
 479     9/10/2008     9/17/2008                   9/30/2008       Smithson        PPs               implement approved sponsor comment resolutions in new PP drafts                                C        done version 39b
 478      9/9/2008    10/17/2008    11/27/2008    11/27/2008        Sukert         guide             Add text to guide describing FAX administration (see Sept comment 96)                          C        plan to put in version 40
 477     8/12/2008     8/26/2008    11/27/2008    11/27/2008        Sukert         guide             explain how if trusted path functions are performed by a third-party NIC, it must be           C        plan to put in version 40
                                                                                                     evaluated as part of the TOE or it must be a certified product that is composed with
                                                                                                     the TOE (see P2600A_2008_08_v05.pdf comment #9)
 476     8/12/2008    8/26/2008                    8/26/2008        Sukert         guide             explain some possible optional tests for FPT_TST.1 (see P2600A_2008_08_v05.pdf                 C        in 38a guide
                                                                                                     comment #61)
 475     8/12/2008    8/27/2008                     9/4/2008        Wright         ballot            post submitted comments to the sponsor ballot comment DB                                       C
 474     8/12/2008    8/26/2008                    8/27/2008       Smithson        PPs               produce interim draft with comment resolutions from this meeting                               C
 473     6/23/2008    7/10/2008                    7/10/2008         All           PPs               comments and company positions on NVS and SMI package proposals                                C
 472     6/23/2008     7/1/2008                     7/1/2008       Smithson        PPs               make proposals for NVS and SMI packages to the mailing list                                    C
 471     5/22/2008    6/16/2008                    6/17/2008       Smithson        PPs               see if DAPS customers still want overwrite + encryption                                        C        answer was forwarded to the ML
                                                                                                                                                                                                             on 6/17
 470     5/22/2008    6/16/2008                    5/28/2008        Wright         general           Announce meeting schedule on the mailing list                                                  C
 469     5/22/2008    6/16/2008                    6/23/2008       Smithson         PPs              Talk to atsec about getting the “packages” approach on the CCDB agenda for public              C        BSI - OK, NIAP - probably OK
                                                                                                     endorsement. Getting early endorsement form select schemes is valued as well.

 468     5/22/2008     6/4/2008                    6/5/2008        Smithson         PPs              Send reminder to all P2600 members who are also JBMIA members should have                      C        sent draft plus explanatory
                                                                                                     someone in attendance at the June 9th JBMIA meeting with IPA                                            documents to some members who
                                                                                                                                                                                                             distributed them to others
 467     5/22/2008     6/4/2008                    5/30/2008       Smithson         PPs              Get atsec to write up the justification of why packages are consistent with CC                 C

 466     4/15/2008     5/7/2008                     5/7/2008       Smithson        PPs               update all PPs according to approved comments from Mesa meeting                                C
 465     4/14/2008     5/7/2008                    5/16/2008        Nevo           other             backgrounder needs to be updated to reflect approval of IEEE Std 2600                          C
 464     3/11/2008    3/28/2008                    3/24/2008       Smithson        PPs               implement mandatory editorial coordination comments                                            C        in 34a
 463     3/12/2008    3/28/2008                     5/9/2008       Smithson        PPs               search for precedents in PPs and STs that use external services for timestamps and             C        no longer needed, we have
                                                                                                     identification/authentication, and prototype alternatives                                               received advice from atsec on this
                                                                                                                                                                                                             issue
 462     3/11/2008                                 4/7/2008        Smithson         PPs              submit sponsor ballot comment to allow delegate user to be fulfilled implicitly by             C        see WG comment #10
                                                                                                     originator user (in PRT and others as needed)
 461     3/12/2008    3/28/2008                    3/28/2008       Smithson         PPs              implement comment resolutions per Tokyo meeting                                                C
 460     3/13/2008    3/28/2008                    3/28/2008       Smithson         PPs              correct the audit recommendations/requirements tables in PP-B and PP-C (they                   C        was determined to be an editing
                                                                                                     mistakenly duplicate the recs/reqs from PP-A), based on previously agreed content                       error, not a technical correction,
                                                                                                                                                                                                             and there were no objections from
                                                                                                                                                                                                             PP editors
 459     3/12/2008                                 7/28/2008        Wright          PPs              Once proposed responses to both rounds of NIAP comments are ready, schedule a                  C        WG approved to start sponsor
                                                                                                     teleconference to get the WG to approve the associated changes so we can begin                          ballot
                                                                                                     sponsor ballot.
 458     3/12/2008                                  4/2/2008       Smithson         PPs              Draft proposed responses to expected second round of NIAP comments                             C        for discussion at Mesa mtg
 457     3/12/2008    3/21/2008                    3/21/2008       Smithson         PPs              Draft proposed text in response to NIAP comments received and reviewed at the                  C        posted to Tokyo mtg page
                                                                                                     Tokyo meeting.
 456     3/11/2008    3/18/2008     3/21/2008                      Sponsors         none             Each sponsoring company to provide text for inclusion in sponsors section                      C        except HP and Konica-Minolta
                                                                                                                                                                                                      Status
                                                                                                                                                                                                   A=abandoned
                                   Planned date   Actual date        Assignee                                                                                                                       C=complete
Action                 Original         of             of         [ -> others to                  Sectio                                                                                             H=on hold
Item #   Entry date   Due date      completion    completion      do the same]        Clause      n      Action                                                                                      P=partial   Disposition
  455     2/5/2008    2/10/2008                     2/9/2008         Smithson          misc              record in the minutes items from CIM that we could or could not do in PPs                       C
  454     2/6/2008    2/15/2008     3/28/2008      3/24/2008         Smithson          PPs               write some verbage in the PPs that acknowledges the companies who helped fund PP                C       added Samsung in 34a
                                                                                                         validation (add Samsung)
 453      2/6/2008     3/1/2008                                     Smithson           misc              invite IPA to participate in Tokyo P2600 meeting to discuss PP drafts and the                  C        IPA has responded
                                                                                                         validation / sponsor ballot process
 452      2/6/2008    2/15/2008                    2/14/2008        Smithson            PPs              update PPs according to accepted comments from Irvine meeting                                  C        draft 33a
 451      2/6/2008                                                   Aubry              PPs              chair an ad hoc committee to propose scope (and how to express it in the PPs) of               C        ad hoc has been formed, proposal
                                                                                                         O.DOC.RETRIEVE.NO_SAL (encryption) and O.DOC.DELETED.NO_SAL (RIP,                                       agreed upon
                                                                                                         typically accomplished by overwrite)
 450      2/5/2008      ASAP                       2/7/2008         Smithson            PPs               submit PPs for IEEE mandatory editorial coordination                                          C
 449     12/7/2007    1/22/2008     12/21/2007    12/20/2007        Smithson            PPs               update PPs according to accepted comments from Miami meeting                                  C
 448     12/7/2007    1/22/2008                    2/5/2008       Nevo, Cybuck          PPs               prepare a proposal regarding what is the scope (and how to specify it) of                     C        complete, but proposal rejected,
                                                                                                          O.DOC.RETRIEVE.NO_SAL (encryption) and O.DOC.DELETED.NO_SAL (RIP,                                      see AI #451
                                                                                                          typically accomplished by overwrite)
 447     12/6/2007    1/22/2008     12/21/2007    12/17/2007        Smithson            PPs               change "ID" to "identification" in the PP drafts                                              C
 446     12/6/2007    1/22/2008                    2/14/2008        Smithson            PPs               look at old meeting minutes to see if we deliberatly put SSL.3 and AFL.1 back into PP-        C        there are no notes about it in the
                                                                                                          D, and if so, why                                                                                      minutes, it appears to have been
                                                                                                                                                                                                                 included accidentally They are
                                                                                                                                                                                                                 removed from PP-D in 33a.


 445     12/6/2007    12/20/2007                  12/20/2007        Smithson          P2600               revise TSF conf and prot datadefs and submit sponsor ballot comment for P2600                 C

 444     12/6/2007    12/20/2007                  12/20/2007        Smithson          P2600               submit sponsor ballot comment for P2600 to add definitions of "original document              C
                                                                                                          handler" and "hardcopy output handler" (using new PP annex A defs)

 443     12/6/2007    1/22/2008                   12/20/2007        Smithson            PPs               fix at the format problem in rationale tables where the SFR heading wanders into an           C        it is an Adobe bug! (they are
                                                                                                          adjacent cell                                                                                          correct in the original MSWord
                                                                                                                                                                                                                 documents that will be used by
                                                                                                                                                                                                                 IEEE editors)
 442     12/6/2007    12/20/2007                  12/20/2007        Smithson          P2600               submit sponsor ballot comment for P2600 to change "shared medium environments"                C
                                                                                                          to "shared-medium environments"
 441     12/6/2007    12/20/2007                  12/20/2007        Smithson          P2600               submit sponsor ballot comment for P2600 User Data defintiions (to make them                   C
                                                                                                          consistent with PP annex A defs)
 440     12/7/2007    1/22/2008                    2/5/2008            All             PP-D               Investigate with their product implementers the impact of the issues identified in            C        The rejection of December
                                                                                                          comments 6 and 7 from the December meeting to see if these are problems.                               comments 6 & 7 stand. See AI
                                                                                                                                                                                                                 446.
 439     12/6/2007    1/22/2008                                       Nevo              PPs               PP Evaluation ad hoc develop press release and company recognition concepts for               C        Backgrounder complete
                                                                                                          the PPs
 438      12/6/2007    1/22/2008                   2/5/2008          Nevo               PPs               Is it required that PPs be publically available?                                              C        A link is OK
 437     10/25/2007   11/22/2007                                    Smithson            PPs               upgrade to CCv3.1 release 2                                                                   C        in P2600.1-31a…
 436     10/26/2007   11/22/2007                  11/14/2007        Smithson         P2600.2/3/           revise drafts after completing AI#433; new drafts will then be under change control           C
                                                                                          4
 435     10/26/2007   11/22/2007                  11/19/2007          Nevo               PP               request IEEE to invoice companies as soon as they have committed to fund the PP               C
                                                                                     validation           validation
 434     10/26/2007   11/22/2007                  11/13/2007         Nevo              RFQ                send revised RFQ to labs                                                                      C
 433     10/25/2007   11/22/2007                   11/9/2007        Smithson          P2600.1             make changes as instructed in http://grouper.ieee.org/groups/2600/comment-                    C        in P2600.1-31a…
                                                                                                          tracking/P2600-1_2007_10_v02.pdf

 432     10/25/2007   11/22/2007                   11/1/2007        Smithson           PPs                change ALC_FLR support as follows: ALC_FLR.1 in A, B, C, and none in D                        C        in P2600.1-31a…
 431     10/25/2007   11/22/2007                  11/13/2007         Wright            RFQ                create some text for the RFQ that describes the process of going through IEEE                 C
                                                                                                          standard approval while also going through PP validation
 430     10/25/2007   11/22/2007                  11/13/2007          Nevo              RFQ               change RFP to RFQ                                                                             C
 429     10/25/2007   11/22/2007                  11/13/2007          Nevo            sponsor             add to the list of benefits: sponsors get to choose which scheme and lab are used,            C
                                                                                      benefits            and get to choose which PPs are validated
 428     10/25/2007   11/22/2007                   11/9/2007        Thrasher           P2600              make changes as instructed in http://grouper.ieee.org/groups/2600/comment-                    C
                                                                                                          tracking/P2600_WG-Ballot01-v03.pdf

 427     10/25/2007   11/22/2007                   11/1/2007        Smithson           PPs                make "job initiation" an audit recommendation, not a requirement                              C        in P2600.1-31a…
 426     10/25/2007   11/22/2007                   11/9/2007        Thrasher          P2600               Replace smartcard architecture picture                                                        C
 425     10/25/2007   11/22/2007    1/22/2008       1/3/2008        Smithson           PPs                Investigate impact of FPT_TEE addition to CC V3.1 rel 2 and develop proposal for              C        sent email on 1/3/08, no responses
                                                                                                          integrating                                                                                            received.
 424     10/25/2007    12/6/2007                                     Wright             PPs               Start formation of 2600.1, .2, .3 & .4 ballot bodies                                          C        in process
 423     10/25/2007    12/6/2007                  10/29/2007         Sukert             PPs               Lead ad hoc to develop outline for "Guide to P2600 PPs" document                              C
 422     10/25/2007   11/15/2007                  11/14/2007         Wright             PPs               Send an e-mail to the mailing list of the publication and comment deadlines and also          C
                                                                                                          telling the list that PP-B/C/D will be under change control after Nov. 23, 2007

 421     10/25/2007   12/20/2007                   2/5/2008            All            P2600               Submitters of comments that were rejected during WG ballot resolution will consider           A        Overcome by events, P2600
                                                                                                          resubmitting them during Sponsor ballot                                                                sponsor ballot is complete.
 420     9/20/2007    11/21/2007                                Sukert plus All PP      PPs               revise the Special Terms and Acronyms annexes                                                 C        annex B done
                                                                     editors
 419     8/22/2007    10/10/2007                   9/17/2007       Smithson             PPs               make corrections / consider suggestions as per Nevo's free-form comments                      C        done in 30a

 418     8/22/2007    10/10/2007                  10/23/2007          Nevo              PPs               confirm that we should remove "job initiation" from audit requirements ("job                  C        Job initiation will be an audit
                                                                                                          completion" would remain)                                                                              recommendation but not a
                                                                                                                                                                                                                 requirement. In PP-A, PP-B& PP-
                                                                                                                                                                                                                 C
 417     8/22/2007    10/10/2007                   9/19/2007        Smithson           PP-D               confirm that software verification is supposed to go away in D                                C        according to the ISRs defined at
                                                                                                                                                                                                                 the Bellevue meeting, we decided
                                                                                                                                                                                                                 to keep software verification in
                                                                                                                                                                                                                 OpEnv D; it has been added back
                                                                                                                                                                                                                 into p2600master-30c


 416     8/22/2007    10/10/2007                   9/19/2007        Smithson           PP-C               does D.FUNC still appear in P2600master-C?                                                    C        no, not according to the ISRs
                                                                                                                                                                                                                 defined at the Bellevue meeting
 415     8/22/2007    10/10/2007                  10/10/2007         Wright            PARs               request a PAR extension on P2600                                                              C
 414     8/22/2007    10/10/2007                   9/17/2007        Smithson            PPs               make corrections / consider suggestions as per Sukert's free-form comments                    C        done in 30a, see email regarding
                                                                                                                                                                                                                 exceptions and notes
 413     8/21/2007    10/10/2007                   10/8/2007        Thrasher          clauses             make corrections as per comments resolution file                                              C
 412     8/22/2007    10/10/2007                    2/5/2008         Sukert             PPs               see what your lab says about certifying with and without CPY authentication                   C        If the product has the CPY function
                                                                                                                                                                                                                 then the product must be certified
                                                                                                                                                                                                                 with the CPY function in its ST.

 411     8/22/2007    10/10/2007                   9/20/2007        Smithson            PPs               clarify what is authorized (binding to subject to perform ops) and when (before ops)          C        see SFPs in 30a
                                                                                                          and which (subsequent rules)
 410     8/22/2007    10/10/2007                   9/12/2007        Smithson            PPs               propose names and descriptions (Assets, Threats, etc.)                                        C        sent RFC on 9/4/07, closed on
                                                                                                                                                                                                                 9/12/07
 409     8/22/2007    10/10/2007                   9/20/2007        Smithson            PPs               do a call for comments on SMI mediation                                                       C        announced as part of 30a release
                                                                                                                                                                                                                 notes
 408     8/22/2007    10/10/2007                   9/18/2007        Smithson            PPs               P.SMI.MEDIATE and O.SMI.MEDIATED "based on flow control policy"                               C        done in 30a, "security policy"
                                                                                                                                                                                                                 should be sufficient in the objective

 407     8/22/2007    10/10/2007                   9/12/2007        Smithson            PPs               SMI 13.1.2.b "while such Assets are"                                                          C        done in 30a
 406     8/22/2007    10/10/2007                   9/17/2007        Smithson            PPs               remove PP app note in NVS                                                                     C        done in 30a
 405     8/22/2007    10/10/2007                   9/19/2007        Smithson            PPs               highlight caption and all but last row of table, then format "keep with next"                 C        done in 30a; for tables of >5 rows:
                                                                                                                                                                                                                 keep only caption with table,
                                                                                                                                                                                                                 disallow rows breaking across
                                                                                                                                                                                                                 pages, repeat first row header;
                                                                                                                                                                                                                 IEEE editors can change the 18
                                                                                                                                                                                                                 figures and 117 tables if they want
                                                                                                                                                                                                                 it to be different


 404     8/22/2007    10/10/2007                   9/19/2007        Smithson            PPs               explain in sufficiency/rationale why some items are boldfaced                                 C        done in 30a
 403     8/22/2007    10/10/2007                   9/19/2007        Smithson            PPs               look at assignment completioin in ACC and ACFs                                                C        those assignments must be
                                                                                                                                                                                                                 completed by ST authors because
                                                                                                                                                                                                                 they specify SFP-relevant attributes
                                                                                                                                                                                                                 that are too specific for these PPs


 402     8/22/2007    10/10/2007                   9/18/2007        Smithson           PPs                7.2.1 "Present in the TOE", look for others and make consistent                               C        done in 30a
 401     8/22/2007    10/10/2007                   9/17/2007        Smithson           PPs                make pp app note out of the "assets not included" note and tables                             C        done in 30a
 400     8/22/2007    10/10/2007                   9/12/2007        Smithson          PP A, B             change ALC_FLR.1 to ALC_FLR.2 (also in master)                                                C        master30b, PPA30a, will flow into
                                                                                                                                                                                                                 PPB30a
 399     8/21/2007    10/10/2007                   9/11/2007         Sukert            clause             prepare a proposal to broaden T.HCD.AVAIL.PEER, use T.HCD.AVAIL.BYPASS or                     C        need to confirm that this was
                                                                                       7.1.14             something, make consistent/distinct from T.HCD.AVAIL.COPY                                              incorporated in P2600-29b

 398     8/21/2007    10/10/2007                                    Thrasher          clause 9            search for "must" and consider changing to "should" as needed                                 C
 396     8/21/2007    11/15/2007    10/9/2009     10/26/2009        Smithson             all              send AI reminders (recurring AI)                                                              C
 395     8/22/2007    10/10/2007                   10/8/2007        Thrasher          10.1.3.7            Reword text to make it conditional on the presence of the other interfaces.                   C
 394     8/21/2007    10/10/2007                   10/8/2007         Wright              PP               Notify the list that PP-A is now under change control and all comments must be in the         C
                                                                                                          tool.
 393     8/21/2007    10/10/2007                   10/8/2007         Wright             All               Remind list that comments need to be in 5 business days before the meeting. This              C
                                                                                                          means documents need to be distributed earlier as well. ALL comments for
                                                                                                          discussion at meetings must be in the commenting tool.
 392     8/21/2007    10/10/2007                   10/8/2007         Wright             PP                Put out a call for participants in a "Guide" ad hoc                                           C
 391     8/21/2007    10/10/2007                                Chen/Sukert/Aubre       PP                Verify that ALC_FLR does not belong in PP-C or PP-D (only in A & B)                           C        proposed ALC_FLR.1 for A&B&C,
                                                                       y                                                                                                                                         nothing for D
 390     7/11/2007    8/14/2007                    9/17/2007        Smithson            PPs               clarify "usage-related" WRT audit events                                                      C        now says "TOE use and security-
                                                                                                                                                                                                                 related events"
 389     7/19/2007    8/14/2007                    7/25/2007         Sukert            PPs                send sample RFP to PP validation committee                                                    C
 388     7/11/2007    8/14/2007                    7/19/2007         Nevo              PPs                organize/schedule PP validation committee activities                                          C
 387     7/11/2007    8/14/2007                    8/14/2007         Farrell         PP Guide             collect background information and responses regarding the need / audience / content          C
                                                                                                          for such a document
 386     7/11/2007    8/14/2007                   11/21/2007         Sukert          PP-E docs            change "User" to "Operator"                                                                   C
 385     7/11/2007    8/14/2007                    8/14/2007        Smithson           PPs                put 28c mgmt recommendations into PP                                                          C        done in 29a
 384     7/11/2007    8/14/2007                    8/14/2007        Smithson           PPs                put 28d audit recommendations into PP                                                         C        done in 29a
                                                                                                                                                                                                   Status
                                                                                                                                                                                                A=abandoned
                                  Planned date   Actual date      Assignee                                                                                                                       C=complete
Action                 Original        of             of       [ -> others to                Sectio                                                                                               H=on hold
Item #   Entry date   Due date     completion    completion    do the same]      Clause      n      Action                                                                                        P=partial   Disposition
  383    7/11/2007    8/14/2007                   8/10/2007       Smithson        PPs               distinguish between NO_DIS and NO_ALT in the objective rationale tables                           C       done in 29a
  382    7/11/2007    8/14/2007                   8/13/2007       Smithson        PPs               add "detection" back to FAU_STG.1.2                                                               C       done in 29a
  381    7/11/2007    8/14/2007                    8/8/2007       Smithson        PPs                t.func.transit.dis not on spreadsheet but is in PP -- fix that                                   C       fixed in P2600master version 29a

 380     7/11/2007    8/14/2007                   8/14/2007      Smithson          PPs               incorporate the requirement for SSL.3 into p.auth.*                                             A        I think this is not needed; its
                                                                                                                                                                                                              function is explained in rationale
                                                                                                                                                                                                              tables, same as FIA_AFL.1,
                                                                                                                                                                                                              FIA_UAU,.7, etc.
 379     7/11/2007    8/14/2007                   8/14/2007      Smithson          PPs               justify the inclusion of or remove UAU.6                                                        C        removed in 29a
 378     7/11/2007    8/14/2007                   8/13/2007      Smithson          PPs               figure out how to specify bridge without implying plural interfaces -- maybe treat proxy        C        removed P.COMMS.* and
                                                                                                     and bridge as the same threat?                                                                           replaced with P.SMI.MEDIATION;
                                                                                                                                                                                                              removed O.COMMS.* and
                                                                                                                                                                                                              replaced with O.SMI.MEDIATED;
                                                                                                                                                                                                              results in the same set of SFRs


 377     7/11/2007    8/14/2007                   8/13/2007      Smithson          PPs               figure out how to handle SMI TSF data that is outside of the TOE boundary                       C        added clarification to SMI (and also
                                                                                                                                                                                                              NVS) that the operations are being
                                                                                                                                                                                                              performed on behalf of other
                                                                                                                                                                                                              subjects
 376     7/11/2007    8/14/2007                   9/19/2007      Smithson          PPs               resolve or map p.audit.logged to o.conf.* in all TOEs (see NVS in particular)                   C        there are audit requirements in all
                                                                                                                                                                                                              TOEs; in NVS, they have to do with
                                                                                                                                                                                                              administrator I&A (and some audit
                                                                                                                                                                                                              requirements that result from having
                                                                                                                                                                                                              an audit function)


 375     7/11/2007    8/14/2007                   8/13/2007      Smithson          PPs               resolve how temp/stored documents are specified in NVS TOE so as _not_ to imply a               C        created "atRest" state that contains
                                                                                                     requirement for DSR functionality                                                                        inJob and onServer states

 374     7/11/2007    8/14/2007                   8/13/2007      Smithson          PPs               expand definition of TEMP to include jobs not started (i.e. in queue)                           C        refer to
                                                                                                                                                                                                              http://grouper.ieee.org/groups/2600
                                                                                                                                                                                                              /email/msg00879.html for details

 373     7/11/2007    8/14/2007                  10/25/2007      Smithson          PPs               look at APE_INT.*, APE_SPD.*, APE_OBJ.* and APE_REQ.* and make sure that                        C        resolved in comments on P2600.1-
                                                                                                     threat/objective/policy descriptions are sufficient                                                      30
 372     7/11/2007    8/14/2007                   8/13/2007      Smithson          PPs               look at names/definitions of TEMP and STORED for DOC and FUNC and make                          C        refer to
                                                                                                     more clear / distinct / consistent                                                                       http://grouper.ieee.org/groups/2600
                                                                                                                                                                                                              /email/msg00879.html for details

 371     7/11/2007    8/14/2007                   8/10/2007      Smithson          PPs               change the access control SFPs to say that the TOE *requires* user auth, not that it            C        done in 29a
                                                                                                     necessarily performs it
 370     7/11/2007    8/14/2007                   9/20/2007      Smithson          PPs               add the concept of a regular user (as an IT entity) to the SMI TOE                              C        done in 30a -- two new user types
                                                                                                                                                                                                              and some changes to the SMI TOE
                                                                                                                                                                                                              model
 369     7/11/2007    8/14/2007                   8/9/2007       Smithson          PPs               explain in each TOE why some of the assets are not considered in that TOE                       C        added tables to each TOE and app
                                                                                                                                                                                                              note to general model
 368     7/11/2007    8/14/2007                    8/9/2007      Smithson          PPs               try moving func.stored (job logs) to TSF data                                                   C        done in 29a - works OK
 367     7/11/2007    8/14/2007                   10/8/2007      Thrasher         P2600              edits as directed by comment resolution http://grouper.ieee.org/groups/2600/comment-            C        one comment is no longer relevant,
                                                                                                     tracking/P2600_2007_07-V01.pdf                                                                           others done

 366     7/12/2007    8/14/2007                                   Wright         general             Start P2600 Sponsor Ballot Invitation before August meeting                                     C
 365     7/12/2007    8/14/2007                   8/15/2007       Wright         general             Send e-mail to list about how to join IEEE                                                      C
 364     7/12/2007    8/14/2007                   8/15/2007       Wright         general             Scrub voting membership                                                                         C
 363     7/12/2007    8/14/2007                   8/15/2007       Wright         general             Send note to e-mail list asking for contributions as to the need, potential content,            C        Lee took this
                                                                                                     timing and audience of a Guide.
 362     7/11/2007    8/14/2007                   8/13/2007      Smithson          PPs               Implement case 2 of FPT_TST as per Carmen's e-mail                                              C        done in 29a
 361     7/11/2007    8/14/2007                                   Cybuck           PPs               Call up NIAP for an informal opinion as to the applicability of the new fee schedule to         C        See e-mail from Nevo on 8/21 on
                                                                                                     PP evaluations.                                                                                          this subject
 359     5/31/2007    7/4/2007                    6/22/2007      Smithson          PPs               solve the issue of TEMP versus STORED versus DELETED and of volatile versus                     C
                                                                                                     nonvolatile
 358     5/30/2007    7/4/2007                    6/22/2007      Smithson          PPs               apply A.LOCATION.SECURE to PRT, SCN, FAX, CPY, and DSR                                          C
 357     5/30/2007    7/4/2007                    6/22/2007      Smithson          PPs               remove the numbers in the UML composition relationships in PP diagrams                          C
 356     5/30/2007    7/4/2007                    6/22/2007      Smithson          PPs               remove audit/mgmt recommendations from the SFR rationale tables; use only the                   C
                                                                                                     direct and dependent SFRs, and add some explanatory text
 355     5/30/2007    7/4/2007                    6/22/2007      Smithson          PPs               create TOE ACPs and FCPs based on informal security requirements, and place                     C
                                                                                                     them in the beginning of the appropriate SFR sections
 354     5/30/2007    7/4/2007                    6/22/2007      Smithson          PPs               fix hierarchical SFR components                                                                 C
 353     5/30/2007    7/4/2007                    6/22/2007      Smithson          PPs               change "Sources" (in SFR statements) to something else so that it is not a non-                 C        made into PP app notes
                                                                                                     standard SFR statement
 352     5/30/2007    7/4/2007                    6/22/2007      Smithson          PPs               make naming and meaning consistent between SENT/RECV assets and COMMS                           C        combined SENT/RECV assets and
                                                                                                     threats/objectives                                                                                       changed COMMS name to
                                                                                                                                                                                                              TRANSIT
 351     5/30/2007    7/4/2007                    6/22/2007      Smithson          PPs               propose solution for T.DOC.OUTPUT.DIS in CPY (I&A session concept?)                             C        we will try removing asset/threat
                                                                                                                                                                                                              from CPY TOE
 350     5/30/2007    7/4/2007                    6/15/2007      Smithson          PPs               remove asset D.DOC.INPUT (because it has no threats assigned to it)                             C
 349     5/30/2007    7/4/2007                                   Smithson          PPs               get an opinion from NIAP CCEVS regarding our use of OSPs                                        C        appears to be OK with them
 348     5/30/2007    7/4/2007                    6/12/2007      Smithson          PPs               add ALC_FLR.1 to PPA and PPB                                                                    C        added to PP
 347     5/31/2007    7/4/2007                                   Everyone        Clause 2            Do we have any normative references? Everyone should consider any                               C        Jerry to send note to list and close
                                                                                                     recommendations and forward to Thrasher.                                                                 at Oct meeting if nothing is
                                                                                                                                                                                                              identified
 346     5/31/2007    7/4/2007                                    Cybuck           PP                Are there newer versions of the drafts of the CIMs? If so, can we get copies?                   C        Dec 2006 versions are the current
                                                                                                                                                                                                              ones. Review the NIAP Policy
                                                                                                                                                                                                              statements as a "substitute" for
                                                                                                                                                                                                              CIMs
 345     5/31/2007    6/8/2007                    6/22/2007      Thrasher         Main               Write up informal security requirements as prose.                                               C
 344     5/31/2007    6/8/2007                     6/8/2007      Smithson         Main               Final list of assets and threats to Thrasher                                                    C
 343     5/31/2007    7/4/2007                    7/12/2007      Smithson         PPs                Related to FMT_SMF, what's the minimum set of management functions? Identify the                C        determined at Bellevue mtg
                                                                                                     minimum set for each environment.
 342     5/31/2007    7/4/2007                    7/12/2007      Smithson          PPs               Related to FAU_GEN, what's the minimum set audited items for audit logs? Identify               C        determined at Bellevue mtg
                                                                                                     the minimum set for each environment.
 341     5/31/2007    7/4/2007                                   Smithson          PPs               In the informal security requirements, which configuration items are secret? Which are          C        request for comments via stds-
                                                                                                     unalterable? Identify the minimum set for each environment.                                              2600
                                                                                                                                                                                                              *** 2nd RFC sent
                                                                                                                                                                                                              *** App Note tells ST authors to
                                                                                                                                                                                                              define for their TOE
 340     5/30/2007    7/4/2007                                   Smithson          PPs               What are NIAP's and IPA's views on including ITC and not including COP?                         A        no longer relevant (we don't use
                                                                                                                                                                                                              FPT_ITC)
 339     5/30/2007    7/4/2007                    9/17/2007      Smithson          PPs               How are resources within the printer (i.e. downloaded fonts, images of signatures,              C        they are handled as TSF data,
                                                                                                     etc.) protected?                                                                                         most likely "protected" and not
                                                                                                                                                                                                              "confidential" (but it is up to the ST
                                                                                                                                                                                                              author) as indicated by PP app
                                                                                                                                                                                                              note in 30a
 338     5/15/2007    5/23/2007                   5/24/2007      Smithson          PPs               send links to NIAP, BSI, ask for opinion on FPP structure                                       C
 337     4/25/2007    5/23/2007                   5/22/2007      Smithson          PPs               arrange to discuss and reach consensus on decision for/against new                              C
                                                                                                     asset/threat/objectives model (before May meeting)
 336     4/25/2007    5/23/2007    8/14/2007      8/14/2007      Smithson          PPs               consider adding function to asset/threat/objective definitions (e.g.                            A        should no longer need to do this
                                                                                                     T.DOC.OUTPUT.DIS.PRT)                                                                                    (because of state name/definition
                                                                                                                                                                                                              changes in 29a)
 335     4/25/2007    5/23/2007                   5/24/2007     PP editors         PPs               take out O.DELETE for management data                                                           C        done in FPP-A 27c
 334     4/25/2007    5/23/2007                   9/19/2007     Smithson            all              consider/propose new definitions for which TSF Data cannot be disclosed and which               C        done in 30a, see 5.5.3
                                                                                                     TSF Data can be disclosed but should not be altered (current definitions in Smithson's
                                                                                                     proposal are not specific)
 333     4/24/2007    5/23/2007                   5/14/2007     Smithson           PPs               create mapping for new asset/threat model to old one                                            C
 332     4/24/2007    5/23/2007                   5/24/2007     PP editors         PPs               adopt FPP approach, with network as an option                                                   C        PP-A done, others will be based on
                                                                                                                                                                                                              that one
 331     4/24/2007    5/23/2007                   5/14/2007      Smithson          PPs               restructure the FPP so that each contained PP is standalone, not relying on rationale           C
                                                                                                     tables
 330a    4/24/2007    5/23/2007                   5/15/2007        Nevo            PPs               verify that using an SAR to fulfill an objective of an OSP is acceptable to IPA                 C        It is not acceptable. See CC part 1,
                                                                                                                                                                                                              A.9.1.2.1 and A.9.2
 330     2/23/2007    4/17/2007                                    ALL             PPs               review DoS issues, discuss, and be prepared to make decision in April 07                        C
 329a    2/23/2007    4/17/2007                   3/2/2007         Ueda            PPs               post a copy of the DOS/DDOS slides to the mailing list                                          C
 329     4/24/2007    5/23/2007                   5/24/2007     PP editors         PPs               remove DoS from treatment in PPs (any unique assets, threats, objectives, and                   C        done in FPP-A 27c
                                                                                                     SFRs)
 328     2/23/2007    4/17/2007                   6/15/2007      Smithson          PPs               shall we include ALC_FLR? Which one? In which PPs?                                              C        ALC_FLR.1 requires the company
                                                                                                                                                                                                              to have a way of tracking bugs in
                                                                                                                                                                                                              the product. (Yes at least for PP-A
                                                                                                                                                                                                              & PP-B)
 327     2/23/2007    4/17/2007                                  Smithson          PPs               revisit Demonstrable vs. Strict conformance on mailing list                                     C        Use demonstrable
 326     2/22/2007    4/17/2007                                   Nevo          compliance           include a statement instructing vendors on how to claim compliance with P2600, for              C        In clause 10
 325     2/22/2007    4/17/2007                  10/18/2007      Smithson         clause
                                                                                   PPs               example "This product conforms to IEEE Std. 2600 they TSF data Environment
                                                                                                     look at how other PPs/STs handle credentials -- are for Operationalor User data? A"             C        User creds are UD in JavaCard;
                                                                                                                                                                                                              other PPs don't distinguish asset
                                                                                                                                                                                                              types. Few STs distinguish asset
                                                                                                                                                                                                              types, but looking at how
                                                                                                                                                                                                              credentials are grouped with other
                                                                                                                                                                                                              assets (like audit data) and which
                                                                                                                                                                                                              SFRs are applied, it appears that
                                                                                                                                                                                                              they are most often categorized as
                                                                                                                                                                                                              TSF Data


 324     2/22/2007    4/17/2007                                UNASSIGNED          PPs               DoS mitigation objective (compliance clause 1.1.1.6) should not protect ALL assets;             A        DoS objectives removed from PPs
                                                                                                     needs to be redefined                                                                                    and therefore from compliance
                                                                                                                                                                                                              clause
 323     2/22/2007    4/17/2007                                UNASSIGNED          PPs               modify PP objectives as needed to correspond with changes in compliance clause                  A        we have new PP objectives
                                                                                                     25a 1.2.1.1, 1.2.1.4, and 1.2.2.2
                                                                                                                                                                                                       Status
                                                                                                                                                                                                    A=abandoned
                                  Planned date   Actual date        Assignee                                                                                                                         C=complete
Action                 Original        of            of          [ -> others to                  Sectio                                                                                               H=on hold
Item #   Entry date   Due date     completion    completion      do the same]        Clause      n      Action                                                                                        P=partial   Disposition
  322    2/22/2007    4/17/2007    10/25/2007                        Volkoff          PPs               write up response to Sameer Yami's email about disk salvage (see Feb 2007 meeting                 C
                                                                                                        notes under "Email issues")
 321     2/22/2007    4/17/2007                                  Farrell, Chen,        PPs              review Nevo/Cybuck draft proposal for PP structure                                               C
                                                                    Sukert
 320     2/22/2007    4/17/2007                                  Nevo/Cybuck           PPs               prepare draft of alternative proposal for PP structure                                          C
 319     2/22/2007    4/17/2007                   3/15/2007          Ueda              PPs               post a copy of the IPA meeting minutes to stds-2600 list (in Japanese is OK)                    C
 318     2/22/2007    4/17/2007                                    Cybuck              PPs               confirm with NIAP that they do or do not require individual PPs for HCD functions               C        NIAP does not require (related to
                                                                                                                                                                                                                  AI #292)
 317     2/22/2007    4/17/2007                                     Volkoff            PPs               investigate whether we can/should enable user-downloadable applets in a certified               C        How could we distinguish among
                                                                                                         configuration and therefore handle threats of rogue applets                                              security-relevant and security-
                                                                                                                                                                                                                  irrelevant applets? Manufacturer
                                                                                                                                                                                                                  can have their "VM" environment
                                                                                                                                                                                                                  certified and make those claims in
                                                                                                                                                                                                                  their ST.
 316     2/22/2007    4/17/2007                   4/5/2007        Smithson            admin              send individual action item reminders                                                           C
 315     2/22/2007    4/17/2007                                   Smithson            admin              confirm Ricoh hosting October meeting in Cupertino                                              C        yes they will
 314     2/22/2007    4/17/2007                    3/1/2007         Farrell           admin              find out if MS will host PWG in July                                                            C        yes they will
 313     2/22/2007    4/17/2007                   5/17/2007    Smithson/Cybuck        admin              Invite/confirm NIAP to attend May meeting in DC                                                 C        cannot attend but will respond to
                                                                                                                                                                                                                  questions and will review FPP

 312     2/22/2007    4/17/2007                                Smithson/Cybuck        admin              Invite Labs to come to our NJ meeting to talk about alternate business plans to get PP          C        SAIC, Infogard, COACT,
                                                                                                         certified.                                                                                               Cygnacom, Corsec, EWA Canada,
                                                                                                                                                                                                                  CC Consulting, BAH, atsec invited

 311     12/12/2006   2/17/2007                                    Smithson            PPs               clarify that .EM threats refer to emissions from the wire, not from the device                  A        abandoned, new model doesn't
                                                                                                                                                                                                                  care how you sniff the netork, it
                                                                                                                                                                                                                  only cares what you can smell

 310     12/12/2006   2/15/2007                   2/21/2007          Nevo           clause 10            Use "network administrator" since we haven't defined a "security administrator."                C

 309     12/12/2006   2/15/2007                   2/2/2007         Thrasher          clause 3            check definitions of volatile and non-volatile storage                                          C        erased and "lost" might not be the
                                                                                                                                                                                                                  right words to use here. Check
                                                                                                                                                                                                                  NIST document on media
                                                                                                                                                                                                                  sanitation (sp800-88)
 308     12/12/2006   2/15/2007                                    Smithson           SFRs               look at T.UD.ACC.HACK interfaces (on worksheet) -- should be different interfaces               A        new model doesn't have this issue
                                                                                                         than "normal"
 307     12/12/2006   2/15/2007                   4/4/2007         Smithson          clauses,            write up assets, threats, objectives to clarify protection of external environment, look        C        used OSPs in P2600.1-26d
                                                                                       PPs               at Océ STs for example
 306     12/12/2006   2/15/2007                   5/30/2007         Sukert             PPs               ask a CC evaluator about having unused terminology that is defined in a PP (like                C        not a problem
                                                                                                         "auditor" in PP-C, or "maintenance port" in PP-D)
 305     12/12/2006   2/15/2007                   5/24/2007       Smithson             PPs               remove references to blank paper/toner/etc from PPs                                             C        done in FPP-A 27c
 304     12/12/2006   2/15/2007                                 Aubry and other         all              resolve discrepancies in definitions of UFD, MD, and TSF data, and associated                   A        new model has no such
                                                                  PP Editors                             threats                                                                                                  discrepancies
 303     12/12/2006   2/15/2007                   4/25/2007      guide to PPs       PP guide             add T.DOS.FAX threats to PP threat table, if we decide to retain those DOS threats              C        decided against DOS threats
                                                                     editor
 302     12/12/2006   2/15/2007                   2/2/2007         Thrasher           main               extract text that should be placed in "guide to PPs" and save in a new document for             C        Document is available from
                                                                                                         the new editor of that document                                                                          Thrasher.
 301     12/12/2006   2/15/2007                   5/30/2007         Sukert           clauses,            share what you can about mitigating T.DOS.PRT.DELETE                                            A        See also AI #287
                                                                                       PPs
 300     12/12/2006   2/15/2007                                    Smithson            PPs               identify which threats are mitigated by O.MONITOR, and propose to keep them and                 A        new model accounts for audit
                                                                                                         create audit requirement, or remove them and rely on other objectives                                    recommendations of all SFRs

 299     12/12/2006   2/15/2007                   2/19/2007        Smithson            PPs               further research on interpretation of "unspecified" audit, including IPA interpretation         C        question forwarded to people
                                                                                                                                                                                                                  visiting IPA on 2/19/07:
                                                                                                                                                                                                                  We can use unspecified in the PP
                                                                                                                                                                                                                  but ST writers would have to pick
                                                                                                                                                                                                                  one of the standard ones or justify
                                                                                                                                                                                                                  something unique.


 298     12/12/2006   2/15/2007                   6/20/2007          Aubry           clauses,            figure out how to handle validation of applets and software loading -- we thought to            C        See AI #281. Use FTP_TST to
                                                                                       PPs               use O.GENUINE, but O.GENUINE refers more to self-test -- need a clear objective                          accomplish this.
                                                                                                         and SFR(s)                                                                                               * Keep O.Genuine objective ..
                                                                                                                                                                                                                  Power-on CRC check
                                                                                                                                                                                                                  * Downloading new firmware
                                                                                                                                                                                                                  generally invalidates the
                                                                                                                                                                                                                  certification
                                                                                                                                                                                                                  * Consider the firmware part of the
                                                                                                                                                                                                                  configuration data so that any
                                                                                                                                                                                                                  threats against management data
                                                                                                                                                                                                                  apply to the firmware?




 297     12/12/2006   2/15/2007                   5/30/2007         Sukert             PPs               check with CSC to see if FTP_ITC is sufficient and FCS_COP is not needed                        C        Some schemes may require COP
                                                                                                                                                                                                                  (1 & 2) if ITC is used.
                                                                                                                                                                                                                  * Check NIAP policy letter #9
 296     12/12/2006   2/15/2007                                    Smithson            PPs               update SFR worksheet per sfr-notes24b.txt                                                       A        we have a new SFR worksheet
                                                                                                                                                                                                                  based on new model


 295     12/11/2006   2/15/2007                                   PP Editors           PPs               change definition of UDD asset to NOT include hardcopy input                                    A        UDD states in new model are
                                                                                                                                                                                                                  specific and input is not considered
                                                                                                                                                                                                                  in PPs
 294     12/11/2006   2/15/2007                                    Smithson            PPs               add EA to 1.2.3.3                                                                               A        EA no longer an asset in new
                                                                                                                                                                                                                  model
 293     12/11/2006   2/15/2007                                    Smithson            PPs               add TOE availability to 1.2.3.3, clarify that it does not apply to external factors like        A        availability no longer an asset in
                                                                                                         fires, floods, etc.                                                                                      new model
 292     12/11/2006   2/15/2007                   5/30/2007         Cybuck             PPs               contact NIAP and ask if explicit statement of which SFRs apply to functions is                  A        will verify "unofficial" answer from
                                                                                                         acceptable, or is a family of PPs required?                                                              Howard Cohen.
 291     12/11/2006   2/15/2007                   2/19/2007      JBMIA study           PPs               contact IPA and ask if explicit statement of which SFRs apply to functions is                   C        IPA: requires multiple individual
                                                                   group                                 acceptable, or is a family of PPs required?                                                              PPs or a family of PPs
 290     12/11/2006   2/15/2007                                   Smithson             PPs               propose objective names to resolve the problem of same name / different meaning in              A        new objectives model doesn't have
                                                                                                         different environments                                                                                   this problem
 289     12/11/2006   2/15/2007                                     Nevo,           PP B,C,D             use tables from AI#288 to unroll threats (remove threats that do not apply to your PP)          A        we have new threats
                                                                 Chen/Sukert,
                                                                    Aubry
 288     12/11/2006   2/15/2007                                    Smithson            PPs               unroll threat categories and create new tables for PP-A - use FULL descriptions from            A        we have new threats
                                                                                                         the clauses, not short descriptions
 287     12/11/2006   2/15/2007                   4/24/2007          ALL               PPs               invited comments for next meeting, regarding T.DOS and T.EA:                                    C
                                                                                                         which threats are not testable?
                                                                                                         which threats are never covered by other PPs or STs?
                                                                                                         which threats are not mitigatable
                                                                                                         what other details are needed in the threat or objective descriptions to make them
                                                                                                         more clearly understood and testable?
                                                                                                         what SFRs or SARs would apply?

                                                                                                         POST TO MAILING LIST ASAP!!

 286     12/11/2006   2/15/2007                                    Smithson            PPs               analyze CIM instructions, recommend what to include as requirements and what to put             A        we cannot recommend CIM items
                                                                                                         in an informative annex                                                                                  for ST authors because it will not
                                                                                                                                                                                                                  result in a CIM-compliant ST; an
                                                                                                                                                                                                                  ST is CIM-compliant only if it is
                                                                                                                                                                                                                  based on a CIM-compliant PP


 285     12/11/2006   2/15/2007                                    Smithson         Clause 7 &           T.EA.FAXBRIDGE removed from PP-C, updated as appropriate                                        A        threat has been replaced in new
                                                                                     Annex E                                                                                                                      model
 284     10/24/2006   12/4/2006                                 Smithson/Aubry         PP-D              is it OK to remove T.TSF.SW.UPDATE from PP-D?                                                   A        we reversed the "yes" decision on
                                                                                                                                                                                                                  this in subsequent meetings; it will
                                                                                                                                                                                                                  be added to PP-D driven by
                                                                                                                                                                                                                  AI#344
 283     10/24/2006   12/4/2006                   2/15/2007        Smithson           SFRs               complete the proposed example entity model                                                      C        covered in the new PP-A diagrams

 282     10/24/2006   12/4/2006                                    Smithson           SFRs               should we add FTP_ITC.1 for O.GENUINE (if we decide on #281)                                    A        ITC is not the correct SFR but we
                                                                                                                                                                                                                  do use TRP for network-loaded
                                                                                                                                                                                                                  software updates
 281     10/24/2006   12/4/2006                                Smithson / Volkoff     SFRs               should we expand the definition of O.GENUINE to include validation (trust) of                   A        we reversed the "yes" decision on
                                                                                                         software updates and applet loads?                                                                       this in subsequent meetings
 280     10/24/2006   12/4/2006                  11/21/2006        Smithson           SFRs               should we add FRU_FLT.1 and its dependency FPT_FLS.1 for O.RESILIENT                            A        we decided "no" on this, and they
                                                                                                         (instead of ATE_FUN.1)?                                                                                  are not specified for the new
                                                                                                                                                                                                                  equivalent objectives
 279     10/24/2006   12/4/2006                  11/21/2006        Smithson           SFRs               should we add FMT_REV.1 for O.ACCESS (would this be used for such things as                     A        we decided "no" on this, and it is
                                                                                                         deleting a user?)?                                                                                       not specified for the new equivalent
                                                                                                                                                                                                                  objectives
 278     10/24/2006   12/4/2006                                    Smithson           SFRs               should we add FMT_MSA.3 for O.ACCESS for A|B and maybe C?                                       A        we decided "yes" on this and the
                                                                                                                                                                                                                  dependency is already fulfilled for
                                                                                                                                                                                                                  the equivalent new objectives

 277     10/24/2006   12/4/2006                  11/21/2006        Smithson           SFRs               should we add FMT_MOF.1 to O.ACCESS to environment A and maybe B|C (for                         A        we decided "no" on this and it is not
                                                                                                         CIM)?                                                                                                    specified for the equivalent new
                                                                                                                                                                                                                  objectives
 276     10/24/2006   12/4/2006                  11/21/2006        Smithson           SFRs               add FDP_UCT.1 and FDP_UIT.1 to O.NETWORK for environment A                                      A        we decided "no" on this and they
                                                                                                                                                                                                                  are not specified for the equivalent
                                                                                                                                                                                                                  new objectives
 275     10/24/2006   12/4/2006                  12/11/2006        Smithson           SFRs               add FCS_COP.1 (and related dependencies) to O.NETWORK for environments A                        C        added to SFR worksheet
                                                                                                         (user and mgmt data) and B|C (mgmt data only)                                                            PP-A done
 274     10/24/2006   12/4/2006                  11/21/2006        Smithson           SFRs               review SFRs and look for audit and management recommendations in CC Part 2;                     C        see audit-notes and mgmt-notes for
                                                                                                         consider adding audit/mgmt SFRs as needed                                                                meeting 24
                                                                                                                                                                                                     Status
                                                                                                                                                                                                  A=abandoned
                                   Planned date   Actual date        Assignee                                                                                                                      C=complete
Action                 Original         of            of          [ -> others to                  Sectio                                                                                            H=on hold
Item #   Entry date   Due date      completion    completion      do the same]       Clause       n      Action                                                                                     P=partial   Disposition
  273    10/24/2006   12/4/2006                   12/11/2006      Thrasher, PP        PPs                add O.DELETE to T.TSF.SALVAGE (rationale: consistent with T.UD.SALVAGE)                        C       threat/objective worksheets done
                                                                      Editors                                                                                                                                   PP-A, B, C done

 272     10/24/2006   12/4/2006                                    PP Editors         PPs                remove O.ACCESS, O.NETWORK, and O.MONITOR from T.TSF.CRED.GUESS,                              A        handled by new threat/objective
                                                                                                         and to add OE.TRAIN to T.TSF.CRED.GUESS                                                                model
 271     10/24/2006   12/4/2006                   12/11/2006      Thrasher, PP        PPs                remove O.PROTECT from all threats except T.UD.SALVAGE and T.TSF.SALVAGE                       C        threat/objective worksheets done
                                                                     Editors                                                                                                                                    PP-A, B, C done

 270     10/24/2006   12/4/2006                   12/11/2006      Thrasher, PP        PPs                add O.NETWORK to T.DOS.NET.CONNECT|CRAFT\FLOOD (rationale: flow                               C        threat/objective worksheets done
                                                                     Editors                             control helps mitigate the threat)                                                                     PP-A, B, C done

 269     10/23/2006   12/4/2006                    5/25/2007         Sukert           PP-A               create mapping for exisitng CIM, like Chen's mapping of PP-C                                  C        Sukert's mapping of PP-A will be
                                                                                                                                                                                                                reviewed during the May meeting.

 268     10/23/2006   12/4/2006     11/7/2007                         Nevo            PP-B               create mapping for existing CIM, like Chen's mapping of PP-C                                  C
 267     10/23/2006   12/4/2006                    2/21/2007          Nevo             10                restate the PP objectives (not in CC terminology) and provide references to example           C        Compliance Clause covers this
                                                                                                         mitigatioin techniques, O.* for manufacturers and OE.* for IT professionals (see
                                                                                                         meeting #23 slide 20 for more detail)
 266     10/23/2006   12/4/2006                                     Thrasher        Clauses              evaluate (and implement?) restructuring of main body as standalone std                        C
 265     10/23/2006   12/4/2006                   12/11/2006        Thrasher          PPs                report on possibility of PP eval performed by COACT                                           C        COACT does not
 264     10/23/2006   12/4/2006                   12/11/2006         Cybuck           PPs                report on possibility of PP eval performed by SAIC, BAH                                       C        SAIC=Canada, maybe UK
                                                                                                                                                                                                                BAH= unknown
 263     10/23/2006   12/4/2006                                      Sukert           PPs                report on possibility of PP eval performed by CSC                                             C        impacted by NIAP directive on non-
                                                                                                                                                                                                                EAL 4, 5, 6, 7 PPs
 262     10/24/2006   11/15/2006                   11/6/2006        Smithson          PPs                Schedule PP editors' face-to-face to work on CCV3.1 PPs                                       A        decided not to
 261      9/7/2006    10/16/2006                  10/20/2006        Smithson          PPs                ask Freas about PPs for production printing                                                   C        discuss at Lexington
 260      9/7/2006    10/16/2006                  10/18/2006         Nevo             PPs                draft a strawman compliance clause                                                            C        discuss at Lexington
 259      9/7/2006    10/16/2006                   9/24/2006        Smithson          PPs                get Freas comments on likelihood/value of getting PP-A and/or B adopted in some               C        David Freas is attempting to get in
                                                                                                         form as a US govt PP                                                                                   contact with Audrey Dale at NIAP

 258      9/7/2006    10/16/2006                  10/20/2006        Smithson          PPs                refine the top-down SFR approach, identifying policies and using PP app notes for             C        discuss at Lexington
                                                                                                         specifics
 257      9/7/2006    10/16/2006                   12/8/2006          Aubry           PP-D               add (back) the objectives and rationales (with a PP app note about using them, and            C
                                                                                                         the threats, to allow an ST writer to create an EAL2 ST)
 256      9/7/2006    10/16/2006                   12/8/2006         Aubry           PP-D                some assumptions need review/rewording/deletion (like A.ADMIN, A.USER)                        C
 255      9/7/2006    10/16/2006                  12/11/2006         Aubry           PPs                 make sure all headers/footers update (problems due to section breaks)                         C        A, B & C are done
 254      9/7/2006    10/16/2006                  12/11/2006      Chen/Sukert        PP-C                reference to NIST EAL should be Common Criteria EAL                                           C
 253      9/7/2006    10/16/2006                  12/11/2006      Chen/Sukert,      PP-C,D               one reference to "section 0" in 4.4: change it to point to section 1.2.1                      C        C is done
                                                                     Aubry                               other reference to "section 0" should point to section 4
 252      9/7/2006    10/16/2006                   12/8/2006       PP editors      PP-B,C,D              change table 11 to 10pt typeface                                                              C
 251      9/7/2006    10/16/2006                   12/8/2006       PP editors        PPs                 make sure line numbers are turned on for entire document                                      C
 250      9/7/2006    10/16/2006                   12/8/2006         Aubry           PP-D                change O.NETWORK per PP-A 22b                                                                 C
 249      9/7/2006    10/16/2006                   12/8/2006       PP editors       PP-B,D               change definition of Management Data per PP-A 22b                                             C
 248      9/7/2006    10/16/2006                   12/8/2006       PP editors      PP-B,C,D              change definition of Stored Data per PP-A 22b                                                 C
 247      9/7/2006    10/16/2006                   12/8/2006       PP editors      PP-B,C,D              change definition of Temporary Data per PP-A 22b                                              C
 246      9/6/2006    10/16/2006                                    Wright          general              Find out what copyright license terms could be offered on an IEEE std and what that           C        Discussions and negotiations are
                                                                                                         means for a published Protection Profile                                                               happening.
 245      9/6/2006    10/16/2006                   5/30/2007         Wright          general             Find out what kind of acknowledgement can be put on an IEEE std.                              C        Don will work with IEEE staff to
                                                                                                                                                                                                                craft the words. SASB ProCom
                                                                                                                                                                                                                will provide general guidance on
                                                                                                                                                                                                                this at its meeting in June.


 244      9/6/2006    10/16/2006                  11/13/2006    Thrasher/Smithson Annex-E &              Keep T.TSF.AUD.ACCESS in PP-B, update annex E                                                 C
                                                                                   Clause 7

 243      9/6/2006    10/16/2006                   12/4/2006         Nevo            PP-B                Remove T.UD.SNIFF.NET from PP-B                                                               C
 242      9/6/2006    10/16/2006                  12/11/2006         Sukert          PPs                 Proposal for methodology to mitigate command injection attacks                                A
 241     7/27/2006     8/30/2006                   8/23/2006        Smithson        Annex E              make necessary tweaks to threat analysis to support changes for T.UDSNIFF.NET                 C        SEE ALSO AI#198 (See AI #244)
                                                                                                         and T.TSF.AUD.ACCESS in PP-B, and give markup to Thrasher

 240     7/26/2006    8/30/2006                    6/12/2007     Smithson, Nevo    PP-A, PP-             What is quality of password for FIA_SOS in CCV3.1? (WAS: add FIA_QAD                          C        leave open to ST writer -- add an
                                                                                      B                  specifying at least 4 numeric characters for PP-B and at least 8 alphanumerics for PP-                 AppNote
                                                                                                         A)
 238     7/27/2006    8/30/2006                    8/23/2006        Smithson           PP                add (i.e. duplicate) definitions from PP tables into the Glossary appendix                    C
                                                                                    glossary
                                                                                    appendix
 237     7/26/2006    8/30/2006                    8/24/2006       Thrasher         Clauses              Change the asset "Availability" to "HCD Availability" where appropriate                       C
 236     7/26/2006    8/30/2006                                    All editors         All               Change "SNMP triggers" to "SNMP traps"                                                        C        Not a problem in PP-A,B,C, or D
 235     7/26/2006    8/30/2006                    6/22/2007      PP Editors /        PPs                Align definitions of the threats from PP with clause 7                                        C        depends on AI#344
                                                                   Thrasher
 234     7/26/2006    8/30/2006                   10/18/2006       Smithson           PPs                Investigate need for A.NO_GENERAL_PURPOSE                                                     C        Cannot make the assumption,
                                                                                                                                                                                                                because it would require
                                                                                                                                                                                                                OE.NO_GENERAL_PURPOSE
 233     7/26/2006    8/30/2006                                     Smithson          PPs                Definition of "user security properties" from FIA_URE2 and ""other user" from                 A        FIA_URE not in CCv3.1
                                                                                                         FIA_UAU.2
 232     7/26/2006    8/30/2006                   10/19/2006        Smithson          PPs                Resolve issue of FPT_RIP.1 and FPT_RIP.2 as per David Freas' e-mail of July 16                C        RIP.1 and RIP.2 have new
                                                                                                                                                                                                                definitions in CCv3.1 (RIP.1 is
                                                                                                                                                                                                                subset, RIP.2 is full) Addressed in
                                                                                                                                                                                                                proposal lexington-23


 231     7/26/2006    8/30/2006                    8/24/2006        Thrasher        Clause 2             Add "RIP" acronym -- Raster Image Processor                                                   C
 230     7/26/2006    8/30/2006                    8/30/2006       PP Editors      All PPs: Fig          Add "External Environment" cloud                                                              C        Figure done and distributed
                                                                                   1 & Table 1                                                                                                                  PP-A,B,C,D done

 229     7/26/2006    8/30/2006                    8/30/2006       PP editors      All PPs: Fig          Change box entitled "Application Software" to two parallel boxes entitled "Firmware"          C        Figure done and distributed
                                                                                         1               and "Applets"                                                                                          PP-A,B,C,D done
 228     7/26/2006    8/30/2006                    8/24/2006       Thrasher            6.2.5             Split Firmware out as 6.2.5.1 and Applet as 6.2.5.2                                           C
 227     7/26/2006    8/30/2006                    8/30/2006    Smithson, Nevo,    PP-A, PP-             "HCD Availability" is an asset in PP-A, PP-B, PP-C. Update these PPs to reflect the           C        PP-A,B,C and glossary done
                                                                     Chen           B, PP-C              concept and name change. "HCD Availability" == "TOE Availability" (Glossary as
                                                                                                         well)
 226     7/26/2006    8/30/2006                   11/21/2006       PP editors      PP-A, PP-             Add SFRs for T.EA.FAXBRIDGE                                                                   C        ADV_ARC.1
                                                                                      B
 225     6/19/2006    7/19/2006                    7/27/2006           all           PPs                 consider changes proposed by Smithson for PP threat/objective changes (see June               C        Proposals 1,3, and 4 accepted
                                                                                                         minutes and email of 6/16/2006)                                                                        Proposal 2 rejected
 224     6/20/2006    7/19/2006                    8/23/2006        Smithson        Annex E              Add T.EA.FAXBRIDGE to Annex E tables (shoot for low score) and give to Thrasher               C

 223     6/19/2006    7/19/2006                                    PP editors         PPs                asset description changes from clause 6 update                                                C        PP-A, B, C & Ddone
 222     6/20/2006    7/19/2006                    7/15/2006       PP editors         PPs                add TR 15446 reference?                                                                       C
 221     6/20/2006    7/19/2006                    8/29/2006         Aubry            PPs                short description changes for T.DOS.FAX and other threats; also long description              C        not T.DOS.FAX yet (see AI #220),
                                                                                                         changes; see clause 7 changes                                                                          but do the others
                                                                                                                                                                                                                PP-A, B, C, D done
 220     6/19/2006    7/19/2006                    7/26/2006           all             all               consider T.DOS.FAX proposal (see June minutes and email of 6/30/06) and be                    C        Accepted without objection
                                                                                                         prepared to decide at July meeting                                                                     Also, include an application note
                                                                                                                                                                                                                that recovery may not be fully
                                                                                                                                                                                                                automatic if such attacks result in
                                                                                                                                                                                                                exhausted consummables


 219     6/19/2006    7/19/2006                    7/26/2006           all             all               consider T.UD.PHY.OUTPUT proposals (see June minutes and email of 6/30/06) and                C        O.ACCESS for OpEnvA, not for
                                                                                                         be prepared to decide at July meeting                                                                  others
                                                                                                                                                                                                                OE.LOCATION, OE.TRAIN for B
                                                                                                                                                                                                                OE.TRAIN for C
                                                                                                                                                                                                                No requirement for D
 218     6/19/2006    7/19/2006                                       Nevo             -                 distribute copy or link to Air Force policy about fax/network separation                      C
 217     6/20/2006    7/19/2006                    8/29/2006          Aubry           PPs                Reflect modifications of term defs and threat defs into PPs                                   C        PP Annexes done
                                                                                                                                                                                                                PP-A, B, C, D done
 216     6/20/2006    7/19/2006                    7/18/2006     Smithson, Nevo   PP-A, PP-              Add T.EA.FAXBRIDGE                                                                            C        PP-A, B done, see email
                                                                                      B
 215     6/20/2006    7/19/2006                                        ?              10                 Create Compliance Clause                                                                      A        see AI#260
 214     6/20/2006    7/19/2006                                     Smithson       Annex E               Update Annex E to include T.EA.FAXBRIDGE                                                      A        See AI #224
 213     6/19/2006                                                  Thrasher       Annex E               Update tables 61 and 63 to reflect DoS threat level elevations                                C
 212     6/19/2006    7/19/2006                    8/30/2006    Nevo, Chen, Aubry PP-B, PP-              Take basic robustness text (unmodified) from CIM instruction #3 and insert as clause          C
                                                                                   C, PP-D               3.1.
 211     6/19/2006    7/19/2006                                    PP editors        PPs                 Change clause 1.2 to read “The Target of Evaluation (TOE) of this Protection Profile          A        was already an action item (see
                                                                                                         is the entire Hardcopy Device (HCD) as available to end customers, i.e., the                           #193)
                                                                                                         compliant configuration.”

 210     6/19/2006    7/19/2006                    8/24/2006       Thrasher            5                 Correct the figures in clause 5 to make them consistent with the words                        C
 209     6/19/2006    7/19/2006                    8/29/2006         Aubry            PPs                Replace all instances of "/" with the word "or"                                               C        PP-A, B, C, D done
 208     6/19/2006    7/26/2006                    7/24/2006         Wright            All               Submit revised PAR with new scope and purpose                                                 C
 207     5/24/2006    6/19/2006                    6/12/2006       Smithson           PP-A               need to merge T.TSF.CRED.DISK in table 11 back into T.TSF.CRED                                C
 206     5/24/2006    6/19/2006                    6/13/2006     Smithson, Nevo      PP-A,B              need to update T.UD.PHY.OUTPUT in table 11 to correspond with changes made in                 C        see also email discussion about
                                                                                                         table 10                                                                                               T.UD.PHY.OUTPUT
 205     5/24/2006    6/19/2006                    6/13/2006      Chen/Sukert,     PP-A,B,C              note after Actor table of PP-D should appear in PP-A,B,C                                      C
                                                                 Nevo, Smithson
 204     5/24/2006    6/19/2006                     6/9/2006       PP editors         PPs                actor table (per new threat descriptions in clauses) should appear in PPs                     A        mistaken entry
 203     5/24/2006    6/19/2006                    8/29/2006         Aubry            PP-D               update actor definitions to be consistent with PP-A                                           C
 202     5/23/2006    6/19/2006                    6/12/2006       Smithson           PPs                see if changing T.DOS.FAX.LOOP definition to "sending or receiving" makes a                   C        T.DOS.FAX.LOOP doesn't appear
                                                                                                         difference in any PP                                                                                   in any PPs
 201     5/23/2006    6/19/2006                    6/13/2006        Smithson        annex E              go through old spreadsheets and figure out what changes are needed to make T.DOS              C        see email
                                                                                                         a moderate level priority for environment A
 200     5/23/2006    6/19/2006                    6/16/2006        Smithson           web               make participant list consistent with updated list from Thrasher                              C
 199     5/24/2006    6/19/2006                    8/24/2006        Thrasher         clauses             list of editor items in                                                                       C
                                                                                                         http://grouper.ieee.org/groups/2600/presentations/Paris/P2600_1_to_9_editor_action
                                                                                                         _items.txt
                                                                                                                                                                                                         Status
                                                                                                                                                                                                      A=abandoned
                                  Planned date   Actual date        Assignee                                                                                                                           C=complete
Action                 Original        of            of          [ -> others to                Sectio                                                                                                   H=on hold
Item #   Entry date   Due date     completion    completion      do the same]         Clause   n      Action                                                                                            P=partial   Disposition
  198    5/24/2006    6/19/2006                                    PP editors        PP-A, PP-        Resolve and document the issue of mandating encryption on the network for PP-A                        C       proposal made for consideration at
                                                                                         B            and PP-B                                                                                                      Camas
                                                                                                                                                                                                                    DID we decide to remove
                                                                                                                                                                                                                    T.UD.SNIFF.NET in Rochester?
 197     5/24/2006    6/19/2006                                Thrasher/Wright/R         9              Try to find references to Russian and German disk wiping algorithms                                C        found reference to VISTR
                                                                      on                                                                                                                                            found reference to GOST?
 196     5/23/2006    6/19/2006                                    Thrasher               8             We need a reference for EMSEC in 8.3.9.2                                                           C
 195     5/23/2006    6/19/2006                   8/24/2006        Thrasher               8             Better background text for 8.3.5.2 (T.UD.ACC.HACK)                                                 C
 194     5/23/2006    6/19/2006                                    Thrasher               7             Add threat actors (definitions, within each threat, summary table)                                 C
 193     5/23/2006    7/19/2006                                     Aubry                PP             Change PP 1.2 (TOE Overview) to make clear that the TOE must be the whole                          C        "The Target of Evaluation (TOE) of
                                                                                                        product not just a subset or a feature.                                                                     this Protection Profile is the entire
                                                                                                                                                                                                                    Hardcopy Device (HCD) as
                                                                                                                                                                                                                    available to end customers, i.e., the
                                                                                                                                                                                                                    compliant configuration."
                                                                                                                                                                                                                    PP-A, B, C done


 192     5/23/2006    6/19/2006                   9/15/2007         PPV                  PP             Develop list of benefits for those helping to pay to get the PPs certified.                        C
                                                                subcommittee
 191      5/4/2006    5/24/2006                                     group                2              The IEEE Style Guide does not number the Normative References.....                                 C        Leave them numbered
 190      5/4/2006    5/24/2006                                   Thrasher            annex A           The IEEE Style Guide has a Bibliography instead of an Informative References                       C        Change to "Bibliography"
                                                                                                        annex.
 189      5/4/2006    5/24/2006                                    Thrasher           annex A           We still have no references fo the German VSITR and Russian GOST disk wiping                       C
                                                                                                        standards.
 188      5/4/2006    5/24/2006                                      group            annex A           The new DoD 5220.22-M NISPOM document released in Feb. 2006 has removed the                        C        The link provided in Annex A is the
                                                                                                        disk wiping mechanism that was in the 1995 version.....                                                     1995 version with the 1997
                                                                                                                                                                                                                    updates.
 187      5/4/2006    5/24/2006                                    Thrasher           annex A           The following Informative References aren't cited anywhere in the document: 3, 12,                 C        OK, remove 119 and renumber
                                                                                                        15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 27, 28, 29, 30, 31, 32, 33, 35, 42, 43, 44,
                                                                                                        45, 100, 105, (and 119 is a dup of 14).
 186      5/4/2006    5/24/2006                                    Thrasher          3, annex A         FISMA is only cited in the Acronyms and Informative reference clauses but NOT                      A        OK to leave it in
                                                                                                        anywhere in the text.                                                                                                                               x
 185      4/4/2006    5/16/2006                   8/24/2006        Thrasher            3&5              remove references to "Custom" environment, and refer only to "Public" (type C)                     C
                                                                                                        environment
 184      4/3/2006    5/16/2006                   5/15/2006         Aubry             PP-D              remove T.UD.PHY.OUTPUT from threat table                                                           C
 183      4/3/2006    5/16/2006                   5/12/2006    Smithson, Nevo,       PP-A,B,C           change objectives for T.UD.PHY.OUTPUT: remove O.I&A, O.ACCESS, and                                 C
                                                                Chen/Sukert                             O.MONITOR; add OE.LOCATION
 182      4/3/2006    5/16/2006                   5/12/2006    Smithson, Nevo         PP-A,B            remove reference to media marking component from O.DELETE                                          C
 181      4/3/2006    5/16/2006                    5/8/2006        Wright              admin            item for Paris agenda: PP-D EAL1/LAPP review, and consider if threats/assumptions                  C
                                                                                                        should be included in that PP
 180      4/3/2006    4/24/2006                   4/27/2006        Smithson            admin            remind editors about global search/replace items and filename changes in PPs                       C        Look for use of the word "media". It
                                                                                                                                                                                                                    should refer to material on which
                                                                                                                                                                                                                    printing and scanning is performed.
                                                                                                                                                                                                                    For other uses, find another word
                                                                                                                                                                                                                    or use a modifier like "storage
                                                                                                                                                                                                                    media". (PPs are OK, 3 & 7 done)
                                                                                                                                                                                                                    Change references to "profile" to
                                                                                                                                                                                                                    either "Protection Profile" or
                                                                                                                                                                                                                    "Operational Environment", as
                                                                                                                                                                                                                    appropriate (HVA, ENT, Pub,
                                                                                                                                                                                                                    SOHO PPs are OK)
                                                                                                                                                                                                                    Change "Device Interface(s)" to
                                                                                                                                                                                                                    "External Device Interface(s)"
                                                                                                                                                                                                                    Remove "Internal Users" &
                                                                                                                                                                                                                    "External Users" --- use "users" as
                                                                                                                                                                                                                    appropriate




 179      4/3/2006    4/24/2006                   4/27/2006        Smithson            admin            send reminders to all assignees of action items                                                    C
 178      4/3/2006    4/24/2006                   4/26/2006        Smithson            admin            reconcile/correlate multiple action items on same subjects and remove duplicates                   C

 177      4/3/2006    5/16/2006    7/26/2006     10/20/2006        Smithson            PP-B             Change SARs to CCV3 @ EAL2                                                                         C        proposal to be discussed in
                                                                                                                                                                                                                    Lexington-23
 176      4/3/2006    5/16/2006    7/26/2006     10/20/2006        Smithson            PP-A             Change SARs to CCV3 @ EAL3                                                                         C        proposal to be discussed in
                                                                                                                                                                                                                    Lexington-23
 175      4/3/2006    5/16/2006    6/19/2006                         Aubry           PP Figure 1        Update figure to account for removal of Internal User, External User and Normal User               C        needs to be put in PP-D

 174      4/3/2006    5/16/2006    2/22/2007      4/4/2007         Smithson             PPs             Reformat to IEEE Style Template                                                                    C        PP-A done, others will be based on
                                                                                                                                                                                                                    that one
 172      4/3/2006    5/16/2006    7/26/2006      7/15/2006        Smithson             PP              Complete references, update acronyms, harmonize PP glossary with clause 3                          C        done, done, done…
                                                                                      Annexes           including adding some missing terms.
 171      4/3/2006    5/16/2006                   5/16/2006         Cybuck             Plain            Ask NIAP's opinion of results of 170                                                               C        was discussed at May mtg
                                                                                      English
                                                                                       SFR
 170      4/3/2006    5/16/2006                   4/17/2006      Chen/Sukert            Plain           Clean up both versions of the example SFR replacing "subject," "object," etc to the                C
                                                                                       English          actual subject and object. Send to Peter.
                                                                                       SFRs
 169      4/3/2006    5/16/2006                                  Chen/Sukert            PPs             Change definitions of User Document Data and User Function Data to match what is                   C
                                                                                                        in clause 3.
 168      4/3/2006    5/16/2006                   4/10/2006        Sukert             Clause 3          Merge clauses 3.1 & 3.2                                                                            C        All definitions are now in 3.1
 167      4/3/2006    5/16/2006                   5/12/2006       PP editors            PPs             Use "Normal User(s)" when referring to non-administrative, non CE users. Use                       C
                                                                                                        "Users" when you want to refer to ALL users.
 166      4/3/2006    5/16/2006                   4/26/2006    all clause editors,       All            Remove "Internal Users" & "External Users" --- use "users" as appropriate                          A        subsumed by AI#180
                                                                  all PP editors

 164      4/3/2006    5/16/2006    7/26/2006      8/29/2006          Aubry               All            Should we use "credential" or "authentication data" ??                                             C        Use "authentication data"
                                                                                                                                                                                                                    PP-A, PP-B, PP-C, PP-D done
 163      4/3/2006    5/16/2006                   4/28/2006          Aubry             PP-D             Put assumptions & threats back into PP-D                                                           C        Even though this is EAL 1 & threats
                                                                                                                                                                                                                    are not required, the groups wants
                                                                                                                                                                                                                    to provide this information.

 162      3/3/2006    3/27/2006                   4/28/2006      Nevo/Aubry/            PPs             provide additional description of environment (see email instructions)                             C
                                                                 Chen/Sukert
 161      3/3/2006    3/27/2006                   4/28/2006      Nevo/Aubry/            PPs             change environment names (see email instructions)                                                  C
                                                                 Chen/Sukert
 160      3/3/2006    3/27/2006                                  Nevo/Aubry/            PPs             update threat description tables to add subthreat column (see HVA 17a for example)                 C        PP-A done
                                                                 Chen/Sukert                            but always list applicable subthreats even if all are included in the roll-up; if there are
                                                                                                        no subthreats to a roll-up, list the roll-up
 159      3/3/2006    3/27/2006                   4/28/2006          Aubry             PP-D             Remove T.UD, add EA.PROXY, add SW.UPDATE, make EAL1, low assurance PP                              C

 158      3/2/2006    3/27/2006    7/26/2006     10/20/2006        Smithson             HVA             Compare the Security Functional Requirements (Sect 6.1 in HVA PP) if written to                    C        proposal to be discussed in
                                                                                                        comply with CIM-Medium Robustness versus CIM Basic Robustness                                               Lexington-23

 157      3/2/2006    3/27/2006    7/26/2006     10/20/2006        Smithson             HVA             Compare the Security Assurance Requirements (Sect. 6.2 in HVA PP) if written at                    C        proposal to be discussed in
                                                                                                        EAL2 versus EAL3.                                                                                           Lexington-23
 156      3/2/2006    3/27/2006                                     Sukert            Clause 3          Compare CIM term definitions versus clause 3 and make recommendation as to how                     C
                                                                                                        to handle any differences.
 155      3/2/2006    3/27/2006                   3/22/2006        Smithson             PPs             Rewrite PP 3.3 to flow better.                                                                     C        see also rewrite of PP 3.0
                                                                                                                                                                                                                    need to apply to PP-B,C,D
 154      3/2/2006    3/27/2006                                      Aubry              PPs             Section 2.1 of the PPs -- For CC V3 "strict conformance" is no longer appropriate.                 C        PP-A, B, C done
                                                                                                        See CCv3 part1 pg34-35 sec 9.4.

 153      3/2/2006    3/27/2006                   3/22/2006        Smithson          HVA/ENT            Propose solution to omission of T.TSF.CRED.DISK                                                    C        see email
                                                                                                                                                                                                                    needs to be applied to PP-B
 152      3/2/2006    3/27/2006                   5/19/2006        Smithson            clause 7         Go through threats in clause 7 and propose more specific threat agents                             C
 151     1/23/2006     3/2/2006                    2/1/2006        Smithson           HVA, Ent,         AI #150 applicable to others PPs?                                                                  C        no, other PPs are OK
                                                                                     SOHO PPs
 150     1/23/2006    3/2/2006                    3/2/2006       Sukert/Chen          Public PP         ADV_ARC subheadings should be H4's (also ADV_TDS, PRE, etc)                                        C
 149     1/23/2006    3/2/2006                                      Nevo               All PPs          rationale section still has app notes -- need to move to where they are needed (at                 C        PP-B still has a section 7
                                                                                                        least in Public PP, maybe others)
 148     1/23/2006    3/2/2006                     3/2/2006          open              All PPs          all PPs need ALC_FLR.2 for EAL 2 Extended                                                          C        subsumed by AI 124
 147     1/23/2006    3/2/2006                    8/23/2006    Smithson (contact       All PPs           apply what is learned from AI #146                                                                A        FDP_ISA isn't in v3.1, so this is no
                                                                   Carmen)                                                                                                                                          longer relevant (See FMT_MSA.3
                                                                                                                                                                                                                    in CCV3.1)
 146     1/23/2006    3/2/2006                    3/2/2006         Smithson            All PPs          find out (from NIAP) how FDP_ISA is used in real life                                              C        on the list for March meeting with
                                                                                                                                                                                                                    NAP
 145     1/23/2006    3/2/2006                    4/26/2006       PP editors           All PPs          need to use D.* for subjects in section 6 of PPs                                                   A        subsumed by AI#100
 144     1/23/2006    3/2/2006                    4/26/2006         open               All PPs          need to reconcile naming conventions for subjects, objects, and operations                         A        subsumed by AI#100
 143     1/23/2006    3/2/2006                    4/28/2006       PP editors           All PPs          In the Threat description section, for all threats that represent several sub-threats, list        C
                                                                                                        each subthreat by name
 142     1/23/2006    3/2/2006                    2/1/2006         Smithson           HVA, Ent,         put "Network Management" as parenthetical description of OE.NET_MANAGE                             C        HVA done
                                                                                     SOHO PPs                                                                                                                       SOHO n/a
                                                                                                                                                                                                                    Enterprise - not defined??
 141     1/23/2006    3/2/2006                    2/23/2006        Smithson        HVA, Ent,            apply changes made to Pub PP 16a 2.4 to other PPs                                                  C
                                                                                  SOHO PPs
 140     1/18/2006    3/2/2006                    2/23/2006        Smithson        HVA, Ent,            apply changes made to SOHO PP 16a to other PPs                                                     C
                                                                                    Pub PP
 139     1/18/2006    3/2/2006                    2/23/2006    clause editors and     All               change references to "Security Environment" to "Operational Environment"                           C
                                                                   PP editors
 138     1/18/2006    3/2/2006                    4/26/2006     Cybuck, Wright,     5, PPs              Change references to "profile" to either "Protection Profile" or "Operational                      A        subsumed by AI#180
                                                                   Haapanen,                            Environment", as appropriate
                                                                Thrasher, Sukert
 137     1/18/2006    3/2/2006                                      Cybuck               5              Capitalize environment names (High Value Asset, etc.)                                              C
 136     1/18/2006    3/2/2006                                      Cybuck               5              add description and graphic for "island" and/or small business example of HVA                      C
                                                                                                        environment
                                                                                                                                                                                                         Status
                                                                                                                                                                                                      A=abandoned
                                   Planned date   Actual date         Assignee                                                                                                                         C=complete
Action                Original          of            of           [ -> others to                  Sectio                                                                                               H=on hold
Item #   Entry date   Due date      completion    completion      do the same]         Clause      n      Action                                                                                        P=partial   Disposition
  135    1/18/2006    3/2/2006                     2/23/2006          Smithson         All PPs            change FAX to fax                                                                                 C
  134    1/18/2006    3/2/2006                                          Sukert             3              put definitions in IEEE terms and definitions style                                               C
  133    1/18/2006    3/2/2006                     3/23/2006            Wright           8,9              change Kbps to kb/s                                                                               C
  132    1/18/2006    3/2/2006                     2/23/2006         PP editors        All PPs            make the definition of Firmware consistent with clause 3                                          C
  131    1/18/2006    3/2/2006                     4/26/2006     all clause editors       All             Look for use of the word "media". It should refer to material on which printing and               A       subsumed by AI#180
                                                                                                          scanning is performed. For other uses, find another word or use a modifier like
                                                                                                          "storage media".
 130     1/18/2006     3/2/2006                    3/23/2006         Wright             Refs               put references in IEEE citation style                                                           C
 129     1/18/2006     3/2/2006                    3/23/2006         Wright             Refs               look for references in Annexes                                                                  C
 128     1/17/2006                                                   Aubry            SOHO PP              Add ALC class to SOHO                                                                           C
 127     1/17/2006     3/2/2006                    3/2/2006       Sukert/Chen         Public PP            Put .AB back into Public                                                                        C
 126     1/17/2006                                              Aubry/Thrasher/S      SOHO PP              Develop proposal for SoHo PP to deal with issue of requiring user identification to be          C        See AI #159 for implementation
                                                                    mithson                                able to print.
 125     1/17/2006     3/2/2006                     3/2/2006         Wright           Clause 9             Merge "clause 8 annexes" into clause 9. Make it informative.                                    C
 124     1/17/2006     3/2/2006                    4/26/2006    Smithson/Nevo/        Public PP            Add ALC_FLR.2 to Public PP and then to other PPs                                                A        subsumed by AI#68
                                                                     Aubry
 124     1/17/2006     3/2/2006                   10/20/2006       Smithson           Public PP            In 6.1.2.4: Define the objects that the access control must be performed on. Results            C        proposal to be discussed in
                                                                                                           apply to other PPs.                                                                                      Lexington-23
 123     1/16/2006     3/2/2006                    3/2/2006          Alan S.              3                Reformat definitions, acronyms, etc to match IEEE Style manual                                  C
 122     1/16/2006     3/2/2006                                     PP editors           PP                Analyze what is missing from PP based on results of AI 121                                      A
 121     1/16/2006     3/2/2006                                    Sukert/Aubry          PP                Correlate SFRs for the CIM V3 T., A.,P. from NIAP                                               A        Waiting for CCV3 CIM
 120     1/16/2006     3/2/2006                                     Smithson             PP                Implement AI #95                                                                                C        No action needed, we have SOs
                                                                                                                                                                                                                    for the OpEnv
 119      1/5/2006    1/16/2006                    1/17/2006      All clause/PP          All               all editors: enable change tracking                                                             C
                                                                      editors
 118      1/5/2006    1/16/2006                    1/8/2006         Smithson              All              start posting doc files                                                                         C
 117      1/5/2006    1/16/2006                    1/5/2006         Smithson           Clause 5            send word doc and graphics to Peter                                                             C
 116      1/5/2006    1/16/2006                                       Cybuck           Clause 5            change MFD to HCD                                                                               C
 115      1/5/2006    1/16/2006                                       Cybuck           Clause 5            update captions on figures                                                                      C
 114      1/5/2006    1/16/2006                                        Nevo            All PPs             add OE.NET_MANAGE and OE.NETWORK to T.DOS.NET threats (ALL applicable                           C        Doesn't apply to PP-D
                                                                                                           profiles)
 113      1/5/2006    1/16/2006                    1/11/2006       Chen, Sukert        Pub PP               global change: vendor -> manufacturer                                                          C        Smithson chekced and changed all
                                                                                                                                                                                                                    PPs
 112      1/5/2006    1/16/2006                    1/6/2006        Chen, Sukert         Pub PP              fix numbering, heading styles, etc                                                             C
 111      1/5/2006    1/16/2006                                    Nevo/Aubry          HVA, Ent,           should put "accounting events" in the other PPs in O.MONITOR as done in the                     C        PP-A, PP-B done
                                                                                      SOHO PPs             PUBLIC PP
 110      1/5/2006    1/16/2006                     3/2/2006        Thrasher           Clause 7             clause 7: remove t.tsf.conf.ab from Public PP threats                                          C        We decided to put this back in
 109      1/5/2006    1/16/2006                    3/15/2006        Smithson           HVA, Ent            Make T.UD.SNIFF.* consistant in HVA & ENT                                                       C        PP-B needs to change
                                                                                         PPs
 108      1/5/2006    1/16/2006                    1/11/2006        Smithson            All PPs             refer to sections, not chapters (or clauses)                                                   C
 107      1/5/2006    1/16/2006                    3/15/2006        Smithson           HVA PP               make sure t.resource.copy is in HVA PP                                                         C
 106      1/5/2006    1/16/2006                    1/11/2006        Smithson            All PPs             global check for "user document data" (correct) vs "user document", and "user                  C
                                                                                                           function data" (correct) vs "user functional data"
 105      1/5/2006    1/16/2006                    1/11/2006        Smithson           All PPs              fix bookmarks that have a leading paragraph                                                    C
 104      1/5/2006    1/16/2006                    1/11/2006        Smithson           All PPs             remove/fix sentences which refer to "below" or "above" in reference to figures or               C
                                                                                                           tables
 103      1/5/2006    1/16/2006                    2/23/2006        Smithson            All PPs            Figure 2: remove "External" Device Interface                                                    C
 102      1/5/2006    1/16/2006                    1/11/2006        Smithson             HVA,              need to reflect these changes made in Enterprise PP between version 14b and 14c                 C
                                                                                       SOHO,
                                                                                       Pub PPs
 101      1/5/2006    1/16/2006                                        Nevo            All PPs             Review definitions in clause 3 (especially changes between 14a and 14b) and update              C
                                                                                                           PP definitions if/as needed
 100     12/14/2005   1/16/2006                   10/20/2006        Smithson           All PPs             Update the PPs in the area of Subjects, Objects and Operations as per requirements              C        proposal to be discussed in
                                                                                                           of CCv3. Make consistant across PPs.                                                                     Lexington-23
                                                                                                           need to reconcile naming conventions for subjects, objects, and operations (old
                                                                                                           AI#144)
                                                                                                           need to use D.* for subjects in section 6 of PPs (old AI#145)
  99     12/13/2005   1/16/2006                     3/3/2006        Smithson           All PPs             Update PPs section 6 to match CCv3.                                                             A        Subsumed by AI #68
  98     12/13/2005   1/16/2006                    1/11/2006        Smithson           All PPs             PP Section 2 conformance claims need to be re-written to conform to CCv3                        C
                                                                                                           guidance.
  97     12/13/2005   1/16/2006                                       PPV                                  Decide how to get PPs certified and paid for                                                    C        Estimates in hand from Coact,
                                                                  subcommittee                             Talk to your company about funding $10000-$20000                                                         CSC, SAIC (see AI 312)
  96     12/13/2005    1/16/2006                    1/7/2006         Sukert            Clause 3            Define Media                                                                                    C
  95     10/25/2005   12/13/2005                   1/13/2006        Smithson             PPs               do we need security objectives for IT and non-IT in CCv3?                                       C        answer: we need SOs for the TOE,
                                                                                                                                                                                                                    the development environment, and
                                                                                                                                                                                                                    the operational environment. SOs
                                                                                                                                                                                                                    for the TOE and DevEnv address
                                                                                                                                                                                                                    threats and OSPs, SOs for the
                                                                                                                                                                                                                    OpEnv address Threats, OSPs,
                                                                                                                                                                                                                    and Assumptions. Therefore if we
                                                                                                                                                                                                                    have assumptions we must have
                                                                                                                                                                                                                    SOs for the OpEnv. OpEnv
                                                                                                                                                                                                                    includes both non-IT and IT
                                                                                                                                                                                                                    (external to the TOE).




  94     10/24/2005   12/13/2005                  12/13/2005         Thrasher             7                re-sync symptoms between some items in threat detail tables                                     C
  93     10/24/2005   12/13/2005                  12/13/2005         Thrasher             7                re-sync short threat descriptions in with short descriptions in detail tables                   C
  92     10/24/2005   12/13/2005                  12/13/2005         Thrasher             7                threat detail tables: change "see" to "observe", define these table entries at beginning        C
                                                                                                           of section, and change "end users" to "users"
  91     10/24/2005   12/13/2005                  12/13/2005         Sukert               3                put OCTAVE (acronym and registered TM) in clause 3                                              C
  90     10/24/2005   12/13/2005                  12/13/2005    Smithson, Nevo,          PPs               add Network threat to T.RESOURCE.COPY                                                           C
                                                                 Aubry, Chen/
                                                                     Sukert
  89     10/24/2005   12/13/2005                  12/13/2005       Thrasher               7                add Network threat to T.RESOURCE.COPY                                                           C
  88     10/24/2005   12/13/2005                  12/13/2005       Smithson            annexes             Is another annex "additional references" needed? Find out.                                      C        No
  87     10/25/2005   12/13/2005    2/22/2007      5/31/2007     Smithson/Nevo            6                write up asset value methodology                                                                A        no longer needed
  86     10/25/2005   12/13/2005                    3/2/2006       Smithson            HVA PP              If we specify FIA_UAU.1, does that allow third-party authentication? .2 REQUIRES                C        NIAP provided information on how
                                                                                                           third-party but does .1 prohibit third party?                                                            to do this at the March meeting.

  85     10/25/2005   12/13/2005                   3/2/2006         Smithson           HVA PP              Ask NIAP to define how they are going to deal with encryption as they did in the CIM            C        Answered in March Meeting
                                                                                                           for CCv2.2
  84     10/25/2005   12/13/2005                   1/13/2006          Sukert           Clause 8            Provide text and references for recommendations to manufacturers for                            C        new annex
                                                                                                           methodologies and processes for the development of secure HCDs
  83     10/24/2005   12/13/2005                  12/13/2005          Sukert                               Table 2, Clause 3: Add SAR, change to US English, Add needed acronyms.                          C
  82     10/24/2005   12/13/2005                  12/13/2005          Wright                               Difference between informative references and Bibliography??                                    C        We only needed a "References"
                                                                                                                                                                                                                    section and a "Bibliography"

  81     10/24/2005   12/13/2005                   2/1/2006         Smithson             PPs               Try to set up a meeting with NIAP/NIST/NSA about the philosophy of our PPs (who                 C        Cybuck invited them to March
                                                                                                           from group?)                                                                                             meeting; they have accepted
  80     9/16/2005    10/24/2005                  10/24/2005    Cybuck,Sukert,Thr        PPs               discuss PP evaluation needs with labs                                                           C        CSC: $25-50K, COACT: ~$25K
                                                                     asher                                                                                                                                          (CCV3-ok), SAIC: ~15K
  79     9/16/2005    10/24/2005                  10/24/2005        Volkoff               -                gather December meeting hotel/meeting info                                                      C
  78     9/16/2005     9/19/2005                   9/16/2005       Smithson             SOHO               inform Carmen Aubry of the decision to move to CC V3                                            C
  77     9/16/2005    10/24/2005                  12/13/2005        Cybuck               all               get feedback from NIAP on our security environment naming proposal: High Value                  C        There is some confusuon about
                                                                                                           Asset Environment, General Enterprise Environment, Public Environment, and SOHO                          "HIGH" because it might be
                                                                                                           Environment                                                                                              confused with EAL level 5 or 6 but
                                                                                                                                                                                                                    we don't have a better term.


  76     9/15/2005    10/13/2005                   3/15/2006    Volkoff, Smithson,      6, PPs             redefine "external environment" in clause 6 and PPs: "external environment consists of          C        clause 6 done
                                                                  Nevo, Aubry                              other IT equipment that is interconnected or interoperates with the HCD"                                 "external environment" does not
                                                                                                                                                                                                                    appear in any PPs
  75     9/15/2005    10/6/2005                    2/8/2006         Smithson              7                write up threat analysis methodology, then include in clause 7 or an annex thereof              C        Turn bullet list of process into text
                                                                                                                                                                                                                    and make an annex.
  74     9/15/2005    10/13/2005                  12/13/2005        Smithson           HS PP               Change the definition of the HS environment in section 1 to exclude government                  C        We don't explicitly include govt
                                                                                                           classified environments. We could consider Adding "Commercial" in front of "High                         classified environments in the PP.
                                                                                                           Security." (from comments database #7)
  73     9/15/2005    10/13/2005                  10/24/2005        Smithson           HS PP       7.2.1   Add to this paragraph how FTA_SSL.3 helps achieve O.I&A. Justification:                         C        redundant with AI#33
                                                                                                           Completeness and consistency between Table 12 and corresponding text. (from
                                                                                                           comments database #5)
  72     9/16/2005    10/13/2005                   3/15/2006    Smithson, Nevo,          PPs               review revised threat inclusions and PPs as needed                                              C
                                                                     Aubry
  71     9/16/2005    10/13/2005                  10/24/2005       Thrasher               7                review revised risk levels for each threat and change clause 7 as needed                        C
  70     9/15/2005     9/23/2005                   9/23/2005      Smithson               all               revise and publish "final" threat analysis output                                               C
  69     9/15/2005    10/24/2005                  10/24/2005       Thrasher              PP                at the next CS1 meeting, ask when CC V3 is going to be an international standard                C        Expected 2007 time frame before it
                                                                                                                                                                                                                    completes the International
                                                                                                                                                                                                                    Standards Process

  68     9/15/2005    10/13/2005                  10/20/2006    Smithson, Nevo,          PP                Convert PPs to CC Version 3 plus non-offensive CIM recommendations - open                       C        Converted but with no NIAP/CIM
                                                                     Aubry                                 Add ALC_FLR.2 to Public PP and then to other PPs (old AI#124) - in C & D, not A or                       requirements; proposal to be
                                                                                                           B                                                                                                        discussed in Lexington-23
                                                                                                           add ALC_FLR.2 and AVA_MSU.1 per NIAP instruction #4 (old AI#14) - AVA_MSU -
                                                                                                           not in CCV3

  67     7/12/2005     9/1/2005                                        Nevo             PP-B               O.RESILIENT definition should be made consistent across the PPs -- Because of a                 C        HVA done
                                                                                                           DoS attack, assets are not compromised. Need to add that assets are not                                  Pub done
                                                                                                           compromised to the definition of O.Resilient                                                             SOHO n/a
  66     7/11/2005     9/1/2005                    9/15/2005    Smithson -> Nevo,        PP                change T.DOS.PRT description to say "sending a print file that causes the system                C        Nevo complete,
                                                                      Aubry                                processor to enter a continuous printing or program loop"                                                Smithson:Complete
                                                                                                                                                                                                                    Not relevant for SOHO
  65     7/11/2005     9/1/2005                    9/15/2005    Smithson -> Nevo,        PP                rewrite T.DOS objective so that it does not prohibit reboot as a recovery from attack           C        Nevo complete,
                                                                      Aubry                                                                                                                                         Smithson:Complete
                                                                                                                                                                                                                    Not relevant for SOHO
                                                                                                                                                                                                     Status
                                                                                                                                                                                                  A=abandoned
                                  Planned date   Actual date        Assignee                                                                                                                       C=complete
Action                Original         of            of          [ -> others to                 Sectio                                                                                              H=on hold
Item #   Entry date   Due date     completion    completion      do the same]        Clause     n      Action                                                                                       P=partial   Disposition
   64    7/11/2005    9/1/2005                    9/28/2005           Yami             all             propose complete descriptions of and distinctions between "security settings" and                C
                                                                                                       "device settings"
  63     7/11/2005    9/1/2005                    8/1/2005         Smithson            4        x.4.3  add more specificity about different classes of users of the standard, i.e.                     C
                                                                                                       manufacturers, end users, IT people
  62     7/12/2005    9/1/2005                    7/14/2005         Wright              -              combine and publish threat/environment results                                                  C
  61     7/12/2005    9/1/2005                                                                         define/distinguish device settings and security settings                                        A        Subsumed by #64
  60     7/12/2005    9/1/2005                    9/15/2005        PP team            PPs              CIM instructions 7, 8, 9 (supercedes AI#17,18,19)                                               C        Dealt with under conversion to CC
                                                                                                                                                                                                                V3.
  59     7/11/2005    7/12/2005                   7/12/2005        Happanen         Public PP           review threat analysis output and propose common sense resolution to "yellow" items            C
                                                                                                        with rationale for their inclusion/exclusion
  58     7/11/2005    7/12/2005                   7/12/2005          Chen           SOHO PP             review threat analysis output and propose common sense resolution to "yellow" items            C
                                                                                                        with rationale for their inclusion/exclusion
  57     7/11/2005    7/12/2005                   7/12/2005          Freas           Ent PP             review threat analysis output and propose common sense resolution to "yellow" items            C
                                                                                                        with rationale for their inclusion/exclusion
  56     7/11/2005    7/12/2005                   7/12/2005         Sukert           HS PP              review threat analysis output and propose common sense resolution to "yellow" items            C
                                                                                                        with rationale for their inclusion/exclusion
  55     7/11/2005    9/1/2005                    8/2/2005         Smithson            4                1.4.2 use of the standard FOR EACH ROLE                                                        C
  54     7/11/2005    9/1/2005                    8/1/2005         Smithson            1                need to get original text back into scope and purpose, can have more but not change            C
                                                                                                        original (from PAR)
  53     7/11/2005    9/1/2005                    9/15/2005         Cybuck             PP               if we have a US Govt PP, can another agency certify it, and will the US Govt accept            C        Per Peter's work with NIAP, under
                                                                                                        that product certification?                                                                             CC V3, yes.
  52     5/20/2005    7/11/2005                   9/15/2005         Wright             PP               find out from IEEE editors if PPs can be standalone documents referenced by the                C        Leave PPs in P2600 (at least for
                                                                                                        P2600 standard, or must they be incorporated in a single P2600 document                                 now)

  51     5/20/2005                                5/24/2005         Wright              -               publish email comments database/resolutions                                                    C
  50     5/20/2005    7/11/2005    7/11/2005      6/21/2005    Smithson, w/Aubry        -               give directions and guidelines for performing risk assessment and re-run with new              C        insufficient response to collate
                                                                                                        Enterprise definition (and more participants), see Toronto minutes pg. 18-19 and                        meaningful results
                                                                                                        meeting slides ("Other")
  49     5/20/2005    7/11/2005     9/1/2005                        Cybuck             5                change Enterprise to asset value = M and give new examples (see Toronto minutes                C        examples need to be written
                                                                                                        pg 16-17)
  48     5/19/2005    7/11/2005     9/1/2005      9/15/2005     Ohta -> Nevo,          PP               add intersection between T.TSF.SW and O.I&A (Toronto comment #31)                              C        Not relevant for SOHO
                                                                    Aubry
  47     5/19/2005    7/11/2005     9/1/2005     12/13/2005     Ohta -> Nevo,          PP               threat description changes (Toronto comments #28 and #29)                                      C        Ohta and Nevo complete
                                                                    Aubry
  46     5/19/2005    7/11/2005     9/1/2005      9/15/2005     Ohta -> Nevo,       7, 8, PP            change threat description of EA.PROXY and EA.DOS (Toronto comment #27)                         C        Not relevant for SOHO
                                                               Aubry, Haapanen,
                                                                   Thrasher

  45     5/19/2005    7/11/2005     9/1/2005      9/15/2005      Ohta -> Nevo,         PP               threat description text changes (Toronto comments #23, #24, #25)                               C
                                                                    Aubry
  44     5/19/2005    7/11/2005                                   Haapanen             8                make sure threat descriptions in clause 8 match the text in clause 7 (Toronto comment          C
                                                                                                        #22)
  43     5/19/2005    7/11/2005                   9/15/2005       Haapanen,            7,8              reconcile threat likelihood/risk/whatever between these two clauses (Toronto comment           C        awaiting threat analysis completion;
                                                                   Thraster                             #21)                                                                                                    restructuring of document
                                                                                                                                                                                                                eliminates duplicate information
                                                                                                                                                                                                                getting out of sync.
  42     5/19/2005    7/11/2005     9/1/2005      8/4/2005         Smithson            5                 add text saying that there can be other Custom envs but they are not further discussed        C
                                                                                                         (Toronto comment #20)
  41     5/19/2005    7/11/2005    7/11/2005      9/15/2005      Ohta -> Nevo          PP                various comments regarding crypto keys (Toronto comment #19)                                  C        Ohta and Nevo complete
  40     5/19/2005    7/11/2005    7/11/2005       7/1/2005      Ohta -> Nevo          PP                elaborate on 4.5.1.3 subsections (Toronto comment #18)                                        C
  39     5/19/2005    7/11/2005    7/11/2005       7/1/2005      Ohta -> Nevo          PP                add role of Auditor and apply where necessary (in HS and Enterprise only) (Toronto            C        Complete
                                                                                                         comments #14 - #16)
  38     5/19/2005    7/11/2005     9/1/2005      9/15/2005      Ohta -> Nevo,         PP                change user and administrator "password" to "authentication data" throughout                  C
                                                                    Aubry                                (Toronto comment #13)
  37     5/19/2005    7/11/2005    7/11/2005       7/4/2005          Yami               8       3.3.2.3.1draft a table of recommended algorithms and key sizes                                         C
  36     5/19/2005    7/11/2005     9/1/2005       8/4/2005        Smithson             5       1.3.5    clarify security issues in custom env (Toronto comment #11)                                   C
  35     5/19/2005    7/11/2005     9/1/2005      9/15/2005      Ohta -> Nevo,         PP                change T.UD.IMP.* to T.UD.ALTER.* and change definition (Toronto comment #10)                 C        Not relevant for SOHO
                                                                    Aubry
  34     5/19/2005    7/11/2005     9/1/2005      8/4/2005         Smithson            5                change definition of HS env to exclude gov't classified environments (Toronto                  C
                                                                                                        comment #7)
  33     5/19/2005    7/11/2005     9/1/2005     12/13/2005      Ohta -> Nevo,         PP               add to table 12 how FTA_SSL helps O.I&A (Toronto comment #5)                                   C        Ohta and Nevo complete
                                                                    Aubry                                                                                                                                       Not sure if this is needed for
                                                                                                                                                                                                                SOHO
  32     5/19/2005    7/11/2005     9/1/2005      9/15/2005      Ohta -> Nevo,         PP               consistency of table 11 and 12 (see Toronto comment #4)                                        C
                                                                    Aubry

  31     5/19/2005    7/11/2005     9/1/2005      9/15/2005      Ohta -> Nevo,         PP               consistency of table 10 and 11 (see Toronto comment #3)                                        C
                                                                    Aubry
  30     5/19/2005    7/11/2005     9/1/2005      9/15/2005      Ohta -> Nevo,         PP               update Figure 1 with TIF file from Smithson (Toronto comment #2)                               C
                                                                    Aubry
  29     5/19/2005    7/11/2005     9/1/2005      8/25/2005        Smithson            all              reorganize document per agreement detailed in meeting slides                                   C
  28     5/19/2005    7/11/2005                   9/15/2005          open              PP               determine how we can address the "US Government PP" requirement to follow their                C        Use CC Version 3.0
                                                                                                        PP development process that is described in an additional document

  27     5/19/2005    7/11/2005                   9/15/2005          Ohta              PP               look at FDP_IFF (NIAP instruction #23) and FIA_AFL (#24) and modify PP as                      C        Use CC Version 3.0
                                                                                                        appropriate
  26     5/19/2005    7/11/2005    9/15/2005      9/15/2005         Cybuck             PP               per NIAP instruction #21, ask DAPS and/or NIAP about the FIPS 140-2 requirement                C        Use CC Version 3.0

  25     5/19/2005    7/11/2005    9/15/2005      9/15/2005      Cybuck, Ohta          PP               ask evaluators if FAU_GEN.1-NIAP-0407 (an explicit SFR, not a refinement) is                   C        Use CC Version 3.0
                                                                                                        acceptable outside of US (per instruction #16); also NIAP interpretations of FAU_SEL
                                                                                                        (#17). FAU_STG (#18), and FDP-ACF (#22)
  24     5/19/2005    7/11/2005                  12/13/2005        Smithson            PP               per NIAP instruction #15, specify "demonstrable" degree of compliance (and define it)          C        Now goes into "Conformance
                                                                                                        in the PP intro                                                                                         Claims" in CC V3 - High is strict,
                                                                                                                                                                                                                others demonstrable
  23     5/19/2005    7/11/2005                  10/24/2005    Smithson -> Sukert      PP               consider what it means to define a "user" in general, per NIAP instruction #14                 C        used definition of user from CC V3

  22     5/19/2005    7/11/2005                   9/15/2005      Cybuck, Ohta          PP               look at NIAP conventions (instruction #13) to see which NIAP refinements are                   C        Use CC Version 3.0
                                                                                                        required; if there are some, we will then need to determine if NIAP refinements can be
                                                                                                        interpreted by evaluators outside of the US
  21     5/19/2005    7/11/2005                   9/15/2005          Ohta              PP               go through all of NIAP instruction #12 (rationale) and determine implications for our          C        Use CC Version 3.0
                                                                                                        PP
  20     5/19/2005    7/11/2005                   9/15/2005      Cybuck, Ohta          PP               determine what to do about NIAP instruction #10 (regarding IT requirements); see               C        Cybuck reported that NIAP will look
                                                                                                        Toronto minutes page 7; may require asking NIAP and/or one or more PP evaluators                        at our PP; use CC Version 3.0

  19     5/19/2005    7/11/2005                   7/12/2005          Ohta              PP               go through all of NIAP instruction #9 (threats, policies, objectives, and requirements)        C        superceded by AI#60
                                                                                                        and determine implications for our PP
  18     5/19/2005    7/11/2005                   7/12/2005          open              PP               look at NIAP threats (per instruction #8) and consider using their suggested text; also        C        superceded by AI#60
                                                                                                        make sure our threats are appropriate according to their criteria (no threats "that the
                                                                                                        TOE cannot recognize")
  17     5/19/2005    7/11/2005                   7/12/2005        Smithson            PP               consider name/content changes to our Assumptions, per NIAP instruction #7                      C        superceded by AI#60
                                                                                                        (example: A.PHYSICAL instead of A.LOCATION); maybe add
                                                                                                        A.NO_GENERAL_PURPOSE
  16     5/19/2005    7/11/2005                                    Smithson            PP               make an alternate cover page for NIAP use only (per instruction #6)                            C        whoever writes the US Gov't
                                                                                                                                                                                                                version will create the appropriate
                                                                                                                                                                                                                cover page
  15     5/19/2005    7/11/2005                                Smithson -> Nevo        PP               reconcile NIAP's and our PP outline and naming; NIAP 6.2 would be new                          A        Dependent on new CEM for CC V3

  14     5/19/2005    7/11/2005     9/1/2005      4/26/2006    Smithson-> Nevo        PP                add ALC_FLR2 and AVA_MSU.1 per NIAP instruction #4                                             A        subsumed by AI#68
  13     5/19/2005    7/11/2005                   6/12/2006       Smithson            PPs               consider NIAP instruction #3, modifying their text to suit our target environment (for         C        I suggest that we insert this block of
                                                                                                        NIAP environments)                                                                                      text as a new section 3.1 in each
                                                                                                                                                                                                                PP (choosing the appropriate
                                                                                                                                                                                                                robustness for each PP). See email
                                                                                                                                                                                                                discussion.
  12     5/19/2005    7/11/2005    9/16/2005      2/23/2006        Smithson         new PP              paste NIAP robustness level text into a new annex (see NIAP instruction #5); ensure            C        consistency issues to be discussed
                                                                                     annex              that our definitions and theirs are consistent                                                          at March 06 meeting
  11     4/12/2005    5/19/2005     9/1/2005                       Haapanen            8                finish actual recommendations, align with clause 7 threats                                     C        aligned; recommendations largely
                                                                                                                                                                                                                complete
  10     4/12/2005    5/19/2005     9/1/2005      8/5/2005         Smithson           8, 6              move asset section from section 3 to section 1                                                 C
  9      4/12/2005    5/19/2005     9/1/2005                       Haapanen            8                complete missing sections                                                                      C
  8      4/12/2005    5/19/2005                   9/15/2005        Haapanen            7                decide if we want to include security env columns in final doc                                 A        restructuring of the presentation of
                                                                                                                                                                                                                threats removed this column.

  7      4/12/2005    5/19/2005     9/1/2005      8/4/2005         Smithson            5                add explanatory text about choosing security env based on asset value rather than              C
                                                                                                        topology or name of env
  6      4/12/2005    5/19/2005     9/1/2005     10/11/2005         Sukert          3, annex            add acronyms from old sections 2 and 4                                                         C        draft in 2005-10
  5      4/12/2005    5/19/2005     9/1/2005      8/5/2005         Smithson             6               define assets (from section 3)                                                                 C
  4      4/12/2005    5/19/2005     9/1/2005      8/4/2005         Smithson             5               reference mitigation techniques in section 3 rather than using ones from NIST                  C
                                                                                                        document
  3      4/12/2005    5/19/2005     9/1/2005     10/11/2005         Sukert          3, annex            add terms from section 2                                                                       C        draft in 2005-10
  2      4/12/2005    5/19/2005     9/1/2005      1/4/2006          Wright          2, annex            update bibliography                                                                            C
  1      5/19/2005    7/11/2005     8/1/2005      8/4/2005         Smithson                             post details for September meeting at Ricoh                                                    C

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:2/15/2012
language:Latin
pages:8