Re: Final pass on BOF issues for -01

[Neal Ziring <nziring@thecouch.ncsc.mil>]

George and everybody,

> > I'd think it's better to omit this area in the document.  It's still
> > subject to discussion how security bugs in widely deployd networking
> > gear should be handled.
>
> I agree.  There are real issues on both sides.  I don't see a quick
> consensus.

Yes, this issue is very sensitive.  The Common Criteria takes
a rather nebulous position on this: as an assurance requirement,
the vendor must have (and follow) a document process for
effectively mitigating vulnerabilities (ALC_FLR, section 12.2
of CC Part 3).

I don't believe that the OPSec model can really do much with
this sensitive area.  However, it might be more in the spirit
of the OPSec draft to require something like version and patch
status information?  (As a knob, I'd like every device to be
able to tell me where I stand on updates and patches, even if
I can't do anything about them.  I think most current devices
can already do this, but not all of them.)

BTW, the ANSI T1.276-2003 draft addresses this issue in a
somewhat indirect fashion, in section B.5.2.  They give no
specific requirements, just prose.

...nz