>From: Peter Williams <williams(_at_)atlas(_dot_)arc(_dot_)nasa(_dot_)gov>
>Subject: Re: Re[2]: Comment on draft-ietf-pem-signenc-01.txt
>Date: Thu, 04 Aug 1994 11:06:34 -0700
>Its even worse than you may realize. Not only must one document the
>specific security services properties, and demonstrate that the that
>the various mechanisms do not collide in the provision of the claimed
>service, but one must phrase the specification in terms of assurance
>evaluation criteria, even for the lower levels of such classification
>systems, at least when producing products likely to be recogised by the
>professional security and banking industry.
Generally, in futherence of the the request for comments process:
I didn't mean to assert that MIME-PEM standard should follow an
assurance evaluation format. Rather, that products evaluation specs
would be able to directly refer to the standard, and not face problems
when modelling the processes described therein in terms of the
functional assurance criteria. This requires simply that the base
material is organized up front to assist this later stage, so vital to
products derived from this technology. Its vital to be able to make
specific and accurate claims for an implemented product, using
argument referenced wherever possible from accepted, and standardized
base material.
The security evaluation process expects certain things, which my
comment seeks to point out might be wise to attend to, when
considering the scope and intended usage of the standard. Comments
were requested; he were some of mime.