| Thread Links | Date Links | ||||
|---|---|---|---|---|---|
| Thread Prev | Thread Next | Thread Index | Date Prev | Date Next | Date Index |
In the world of advancing ITU standards, the term "Fax" no longer is restricted to basic analog fax, so you should make sure that the text at least accepts the existence of analog and internet fax...for example, it's possible to authenticate T.38 fax, using SIP authentication.
And of course, in the case of basic analog fax, Jerry's point is well taken....
Randy On Dec 4, 2008, at 5:34 PM, Brian Smithson wrote:
Jerry Thrasher brought this up (so if you like to shoot messengers... :-). I don't have an answer for it. I remember having some discussionsabout it some time ago, but apparently it is not resolved. The issue is:In clause 5.4 TOE Operational Model (e.g. P2600.1-40b.pdf page 10 line12), we state that one of the major security features is that "All Usersare identified and authenticated, and are authorized before beinggranted permission to perform TOE functions". However, in the case of anincoming fax, the sender of the fax is using the TOE functions but is neither identified nor authenticated. So it seems that we need to make some allowance for unidentified unauthenticated TOE users in clause 5.4 without being specific about incoming faxes and without opening up a loophole for other kinds of unidentified unauthenticated uses of the TOE. Any ideas? -- Regards, Brian Smithson Project Manager, Security Research PMP, SSCP, CISSP, CISA, ISO 27000 PA Advanced Imaging and Network Technologies Ricoh Americas Corporation (408)346-4435
Attachment:
smime.p7s
Description: S/MIME cryptographic signature