Re: [2600] another issue to talk about...
Are we already assuming that print jobs are authenticated as well, and unauthenticated print jobs are refused (sorry, my memory fails me)?
One could argue that incoming fax should received, but not be *released* until an authenticated user does so ...
Tom
-----Original Message-----
From: Brian Smithson [mailto:brian.smithson@xxxxxxxxxxxxx]
Sent: 04 December 2008 20:35
To: STDS-2600@xxxxxxxxxxxxxxxxx
Subject: [2600] another issue to talk about...
Jerry Thrasher brought this up (so if you like to shoot messengers...
:-). I don't have an answer for it. I remember having some discussions
about it some time ago, but apparently it is not resolved. The issue is:
In clause 5.4 TOE Operational Model (e.g. P2600.1-40b.pdf page 10 line
12), we state that one of the major security features is that "All Users
are identified and authenticated, and are authorized before being
granted permission to perform TOE functions". However, in the case of an
incoming fax, the sender of the fax is using the TOE functions but is
neither identified nor authenticated.
So it seems that we need to make some allowance for unidentified
unauthenticated TOE users in clause 5.4 without being specific about
incoming faxes and without opening up a loophole for other kinds of
unidentified unauthenticated uses of the TOE.
Any ideas?
--
Regards,
Brian Smithson
Project Manager, Security Research
PMP, SSCP, CISSP, CISA, ISO 27000 PA
Advanced Imaging and Network Technologies
Ricoh Americas Corporation
(408)346-4435