SPC-4 Add Security Protocol page for reporting security compliance (T10/11-102)

Paul Suhler Paul.Suhler at quantum.com
Wed May 18 16:26:59 PDT 2011


Formatted message: <a href="http://www.t10.org/cgi-bin/ac.pl?t=r&f=r1105185_f.htm">HTML-formatted message</a>

Hi, everyone.
At last week's plenary, we decided not to go forward with the revision
of Gerry's proposal approved in CAP.  Instead we said that we'd discuss
alternative wording that would be acceptable.
The issue was that (if I recall correctly) we'd like to be able to
report this descriptor even if the firmware running in the device had
been neither submitted nor approved as complying with the cited
standard.  In such a case, if the SPC-4 wording requires that the
standard applies to the device, then reporting the descriptor might be
considered inaccurate or misleading. I think that we want to report the
actual Hardware Version, Version, and Module Name of the device, which
may not appear on the compliance certificate on the NIST (or other
agency) web site.
One possible change would be to scrub the proposal and use "may"
wherever appropriate.  For example, in the latest revision
(http://www.t10.org/cgi-bin/ac.pl?t=d&f=11-102r2.pdf), the first
sentence in 7.7.1.5.1:
"The security compliance information page contains information about
security standards that apply to this device."
Would change to:
"The security compliance information page contains information about
security standards that may apply to this device."
The first paragraph of 7.7.1.5.2 already seems weaselly enough:
"The FIPS 140 compliance descriptor (see table new3) contains
information that may be used to locate information about a FIPS 140
certificate associated with the device. The device may or may not be
operating in the mode specified by that certificate."
Then,
"The REVISION field is an ASCII character (see 4.4.1) that indicates the
FIPS 140 revision that applies to the device (see table new4)."
Could change to:
"The REVISION field is an ASCII character (see 4.4.1) that indicates the
FIPS 140 revision that applies may apply to the device (see table
new4)."
Etc., etc. for the other fields.  Perhaps we change "...as reported by
NIST." to "... which may be reported by NIST."	?
Do we also need to explicitly state up front that the device may or may
not comply, and that the information in the descriptor should be checked
against the certifying agency's web site to determine compliance?
Please share your thoughts.
Thanks,
Paul
________________________________________________________________________
_____________________________ 
Paul A. Suhler | Firmware Engineer | Quantum Corporation | Office:
949.856.7748 | paul.suhler at quantum.com	
Preserving the World's Most Important Data. Yours.(tm) 



More information about the T10 mailing list