[2600] another issue to talk about...
Jerry Thrasher brought this up (so if you like to shoot messengers...
:-). I don't have an answer for it. I remember having some discussions
about it some time ago, but apparently it is not resolved. The issue is:
In clause 5.4 TOE Operational Model (e.g. P2600.1-40b.pdf page 10 line
12), we state that one of the major security features is that "All Users
are identified and authenticated, and are authorized before being
granted permission to perform TOE functions". However, in the case of an
incoming fax, the sender of the fax is using the TOE functions but is
neither identified nor authenticated.
So it seems that we need to make some allowance for unidentified
unauthenticated TOE users in clause 5.4 without being specific about
incoming faxes and without opening up a loophole for other kinds of
unidentified unauthenticated uses of the TOE.
Any ideas?
--
Regards,
Brian Smithson
Project Manager, Security Research
PMP, SSCP, CISSP, CISA, ISO 27000 PA
Advanced Imaging and Network Technologies
Ricoh Americas Corporation
(408)346-4435