RE: PD 0126: Administrator-entered Code Used To Meet SFRs

[Olin Sibert <osibert@siliconkeep.com>]

At 05:11 PM 4/8/2006, Nir Naaman wrote:
>This discussion is based on down-to-earth considerations: the ODRB has
>issued a PD whose intention is to limit the extent or nature of installation
>guidance. The ODRB is soliciting comments on this PD.
>Some of the readers of this list believe that the stated constraints are
>wrong.

With respect to "down-to-earth considerations", a phrase
which I normally associate reference to actual products in
the marketplace where money changes hands, it may be that this
issue really isn't a problem--or, rather, that it will solve
itself in the normal course of business.

Why?

Well, if I were a vendor, and I learned that a competitor's
product required the administrator to type in part of its
security implementation, I would treat it like manna from
heaven.  I would use it to hold up my competitor's product
for the ridicule it so richly deserves, and explain, by
contrast, that MY product comes with security built in,
rather than manually transcribed from some printed manual.
And that argument is so easy to understand that, yes, I
think I'd get some good traction with it--regardless of
whether the design is considered compliant with Common
Criteria requirements.

Furthermore, one might expect a producer to feel some
queasiness about exposing itself to such ridicule.

Cheers -- Olin
osibert@orionsec.com