attachment
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;">Mike,</span></div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;">At the IDS Meeting last Thursday we were asked to look at the PWG Security web page and make some suggested changes from an IDS perspective. Let me begin by saying that at the beginning
we may have gotten a little carried away in wordsmithing the first two paragraphs of the introduction, but the rest of the comments are general and hopefully helpful.</span></div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<br>
</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;">Anyway, here are the comments:</span></div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);" class="elementToProof">
<ol data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}" data-listchain="__List_Chain_425">
<li style="list-style-type: "1. "; font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;">
<div><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;">Second paragraph, 1</span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;"><sup>st</sup></span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;"> sentence
- need to spell out the abbreviation for DPA (Document Printing Application) and give the full reference for both ISO DPA (should be ISO/IEC 10175 Document Printing Application) and IEEE P2600 (which actually should be IEEE 2600-2008 IEEE Standard for Information
Technology: Hardcopy Device and System Security)</span></div>
</li><li style="list-style-type: "2. "; font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;">
<span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;">We felt the 2nd</span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;"> paragraph, 1</span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;"><sup>st</sup></span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;"> sentence
needed to be written in its entirety to add references to IETF and the HCD iTC and to add proper capitalization of 'Printer' and 'Multi-Function Device' .</span></span></li><li style="list-style-type: "3. "; font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;">
<span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;">1</span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;"><sup>st</sup></span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;"> Paragraph,3</span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;"><sup>rd</sup></span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;"> </span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;">Sentence
- Change the sentence to read "</span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; text-align: start; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted0">Where appropriate, we liaise
with other standards organizations including...."</span></span></span></span></span></li><li style="list-style-type: "4. "; font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;">
<span><span><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; text-align: start; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted0">2<span><sup>nd</sup> paragraph, 2<span><sup>nd</sup> sentence
- Remove the </span><span style="font-family: Calibri, Helvetica, sans-serif;">"</span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted1">In
conjunction with these security-oriented documents," beginning the sentence and just begin with "The PWG...</span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 20px; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted1">"</span></span></span></span></span></span></span></span></li><li style="list-style-type: "5. "; font-family: Calibri, Helvetica, sans-serif; font-size: 20px;">
<span><span><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; text-align: start; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted0"><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 20px; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted1">Section
on Security Lifecycle</span></span></span></span></span></span></span></span></li></ol>
<blockquote style="margin-top:0;margin-bottom:0">
<ul data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}">
<li style="list-style-type: disc; font-family: Calibri, Helvetica, sans-serif; font-size: 20px;">
<span><span><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; text-align: start; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted0"><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 20px; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted1">Change
the 1<span><sup>st</sup> sentence, 1<span><sup>st</sup> paragraph to read "Security requires engineering best practices and standards."</span></span></span></span></span></span></span></span></span></span></li><li style="list-style-type: disc; font-family: Calibri, Helvetica, sans-serif; font-size: 20px;">
<span><span><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; text-align: start; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted0"><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 20px; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted1"><span><span>In
the 2<span><sup>nd</sup> sentence, remove the words "updates", "timely" and "todays"</span></span></span></span></span></span></span></span></span></span></span></li></ul>
</blockquote>
<ol data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}" start="6" data-listchain="__List_Chain_425">
<li style="list-style-type: "6. "; font-family: Calibri, Helvetica, sans-serif; font-size: 20px;">
<span><span><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; text-align: start; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted0"><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 20px; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted1">Basic
Security Functions</span></span></span></span></span></span></span></span>
<div style="list-style-type: "7. "; font-family: Calibri, Helvetica, sans-serif; font-size: 20px;">
<span><span><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; text-align: start; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted0"><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 20px; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted1">We
discussed this a lot and compared your list to the list of security functions in the HCD cPP. The ones that I thought were missing and we should consider adding dealt with self-test (testing a subset of the functionality during power up or reboot), strong
cryptography (ensuring that only known and vetted cryptographic algorithms are used) and trusted operation (which covers things like secure boot)</span></span></span></span></span></span></span></span></div>
<div style="list-style-type: "7. "; font-family: Calibri, Helvetica, sans-serif; font-size: 20px;">
<span><span><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; text-align: start; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted0"><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 20px; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted1">In
the end we decided that the following should be added to your list:</span></span></span></span></span></span></span></span></div>
</li></ol>
<div>
<blockquote style="margin-top:0;margin-bottom:0">
<ul data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}">
<li style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: disc; margin: 0in 0in 0in -0.25in;">
<span style="font-family:Calibri, Helvetica, sans-serif;font-size:20px"><span><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; text-align: start; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted0"><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 20px; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted1">Platform
Integrity Verification: Secure Boot, Self-Test</span></span></span></span></span></span></span></span></li></ul>
<div><span style="font-family:Calibri, Helvetica, sans-serif;font-size:20px"><span><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; text-align: start; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted0"><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 20px; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted1">Also,
add the following to Protection of Data at Rest - TSG Self-Encrypting Drive Standads (OPAL)</span></span></span></span></span></span></span></span></div>
</blockquote>
<ol start="7" data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}" data-listchain="__List_Chain_425">
<li style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: "7. ";">
<span style="font-family:Calibri, Helvetica, sans-serif;font-size:20px"><span><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt; text-align: start; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted0"><span><span><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 20px; display: inline !important; background-color: rgb(255, 255, 255);" class="ContentPasted1"></span></span></span></span></span></span></span></span>Safety
By Design
<div style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: "8. ";">
We felt the title should really be "Reliability BY Design".</div>
<div style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: "8. ";">
We also felt this section need more explanatory wording describing what the topic is about</div>
</li><li style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: "8. ";">
Privacy
<div style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: "9. ";">
You should add pointers to the NIST SPs and other NIST documents that discuss privacy. </div>
<div style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: "9. ";">
Note: My comment after the meeting - maybe also add pointers to the EU documents because they are really "heavy" into privacy as well as some states sch as California.</div>
<div style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: "9. ";">
You should also cover sensitive data and PII here</div>
</li><li style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: "9. ";">
Resources
<div style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: "10. ";">
Common Log Format has a bad link - Bill thinks it is because you pointed to an older version; it should be PWG 5110.3-2015</div>
<div style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: "10. ";">
Check your resource list against the standards you reference in the Basic Security Functions section</div>
<div style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: "10. ";">
Some other resources you should add:</div>
</li></ol>
<div>
<blockquote style="margin-top:0;margin-bottom:0">
<ul data-editing-info="{"orderedStyleType":1,"unorderedStyleType":1}">
<li style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: disc;">
IPP Standards</li><li style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: disc;">
HCD cPP and HCD SD</li><li style="font-size: 20px; font-family: Calibri, Helvetica, sans-serif; list-style-type: disc;">
Applicable IETF Standards (talk to IRA)</li></ul>
<div><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;">Remove "Business Case for NAC and Hardcopy Devices" - it is very old and per Ira should be deprecated</span></div>
</blockquote>
<div><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;"><br>
</span></div>
</div>
</div>
<div><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;">That is the list we have. If you have questions let me know.</span></div>
<div><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;"><br>
</span></div>
<div><span style="font-family: Calibri, Helvetica, sans-serif; font-size: 14pt;">Alan</span></div>
</div>
<editor-squiggler style="height: 0px; width: 0px;"><style>
@media print {
.ms-editor-squiggler {
display:none !important;
}
}
.ms-editor-squiggler {
all: initial;
display: block !important;
height: 0px !important;
width: 0px !important;
}</style>
<div class="ms-editor-squiggler"></div>
</editor-squiggler>
</body>
</html>