SPC-4 Add Security Protocol page for reporting security compliance (T10/11-102)

Wed May 18 17:09:26 PDT 2011

Formatted message: <a href="http://www.t10.org/cgi-bin/ac.pl?t=r&f=r1105186_f.htm">HTML-formatted message</a>

Paul,
Thanks for the thoughts.
Gerry Houlder (Seagate), David Black (EMC), and myself (Curtis Ballard, HP)
got together following the plenary meeting last week and worked on wording
that would make it more clear that the descriptors describe a security
certificate that "Applies To" the device and that the device "may or may not"
be operating in the mode described by the certificate.	That wording was not
there following the CAP review.
It looks like Gerry has already incorporated those changes in the revision
posted and the one you reference.
http://www.t10.org/cgi-bin/ac.pl?t=d&f=11-102r2.pdf
With those revisions I am satisfied that there is sufficient guidance for
what the descriptors mean.  I don't feel that adding additional "may"
statements is necessary.
Curtis Ballard
Hewlett Packard
From: owner-t10 at t10.org [mailto:owner-t10 at t10.org] On Behalf Of Paul Suhler
Sent: Wednesday, May 18, 2011 5:27 PM
To: T10 Reflector
Subject: SPC-4 Add Security Protocol page for reporting security compliance
(T10/11-102)
Hi, everyone.
At last week's plenary, we decided not to go forward with the revision of
Gerry's proposal approved in CAP.  Instead we said that we'd discuss
alternative wording that would be acceptable.
The issue was that (if I recall correctly) we'd like to be able to report
this descriptor even if the firmware running in the device had been neither
submitted nor approved as complying with the cited standard.  In such a case,
if the SPC-4 wording requires that the standard applies to the device, then
reporting the descriptor might be considered inaccurate or misleading. I
think that we want to report the actual Hardware Version, Version, and Module
Name of the device, which may not appear on the compliance certificate on the
NIST (or other agency) web site.
One possible change would be to scrub the proposal and use "may" wherever
appropriate.  For example, in the latest revision
(http://www.t10.org/cgi-bin/ac.pl?t=d&f=11-102r2.pdf), the first sentence in
7.7.1.5.1:
"The security compliance information page contains information about security
standards that apply to this device."
Would change to:
"The security compliance information page contains information about security
standards that may apply to this device."
The first paragraph of 7.7.1.5.2 already seems weaselly enough:
"The FIPS 140 compliance descriptor (see table new3) contains information
that may be used to locate information about a FIPS 140 certificate
associated with the device. The device may or may not be operating in the
mode specified by that certificate."
Then,
"The REVISION field is an ASCII character (see 4.4.1) that indicates the FIPS
140 revision that applies to the device (see table new4)."
Could change to:
"The REVISION field is an ASCII character (see 4.4.1) that indicates the FIPS
140 revision that applies may apply to the device (see table new4)."
Etc., etc. for the other fields.  Perhaps we change "...as reported by NIST."
to "... which may be reported by NIST."  ?
Do we also need to explicitly state up front that the device may or may not
comply, and that the information in the descriptor should be checked against
the certifying agency's web site to determine compliance?
Please share your thoughts.
Thanks,
Paul
_____________________________________________________________________________
________________________
Paul A. Suhler | Firmware Engineer | Quantum Corporation | Office:
949.856.7748 | paul.suhler at quantum.com
Preserving the World's Most Important Data. Yours.(tm)