Re: What exactly is being interpreted?

Subject: Re: What exactly is being interpreted?
From: Gary Stoneburner <stoneburner@nist.gov>
Date: Tue, 06 Feb 2001 10:10:26 -0500
Content-Type: text/html; charset="us-ascii"
In-Reply-To: <3A7F4890.416270CE@saic.com>

James,

I have addressed your comments below, speaking from my experience as the NIST member of the Common Criteria Interpretations Management Board and as a member of the US interpretations working group. These comments are mine and not an official position of either group.

At 07:48 PM 2/5/01 -0500, James Arnold wrote:

1. Scheme Policy Statements

Current examples include allowing criteria to be translated into US English and allowing a TOE to begin evaluation even if the ST is not completely evaluated. I believe that these statements actually belong in one of the NIAP operation guides, but maintaining an evolving list of policy statements or decisions to be incorporated into those documents at a later date seems sensible. Much like the intent to incorporate interpretations into the CC in a subsequent version.

Both of the examples you give are CCEVS decisions at to what the statements in the CC and CEM really mean. This is the essence of an interpretation. Scheme developing guidance, policy, and procedures cover areas that the CC or CEM is silent about or explicitly leaves to the scheme to determine.

2. New Criteria

New requirement classes, families, and components are quite simply not interpretations. It is useful to separate these since they will have no impact on any project that does not incorporate them and it may be easier to search this alternate source of criteria if it is not mixed with the other interpretation products.

CCEVS operates in the context of an international arrangement on the use of the CC and CEM. While there is a lot of validity in your point, the CC Project has decided to simply call all changes to the CC and CEM (to include new material) interpretations. CCEVS is doing the same. It is partly a semantic issue but also of important in that every final interpretation takes precedence over the written documents - so in that regard, the use of new material introduced by an interpretation is not an extension to the CC but is CC conformant.

Also, I think that new criteria should be constructed differently. Specifically, it should be packaged to clearly describe rationale that would be adequate to satisfy the *SRE* family of requirements. Or better, to obviate those requirements for requirements taken from the approved (i.e., final) set of new criteria. If such rationale is not available or the *SRE* work units must be applied to this new criteria, there is no clear benefit of suggesting new criteria in the first place.

Once an interpretation becomes final, the SRE family no longer applies. Any new criteria from a final interpretation is a part of the CC, not an extension to the CC.

3. Criteria Guidance

What I mean by guidance is an interpretation product that changes only "informative" material. While this information may be useful, it generally doesn't impose itself on a developer or evaluator the same way that an actual interpretation (i.e., item 4) might.

By changing this material, the meaning of the CC is likely to be changed. While the SFR and SAR might be unchanged, the interpretation is putting into other material direct information that is to be used in determining how to implement the SFR and SAR. Many times the interpretation bodies have been faced with questions of the sort - "what does this mean?" or "Does this mean that?" In some cases it was determined that changes to, for example, application notes was the best way of answering that question and avoiding it in in the future.

4. Criteria Interpretation

Finally, interpretations should consist only of changes to SFRs,
SARs, and CEM work units, as well as other changes that cause them to be
indirectly and meaningfully changed (e.g., change to a definition used
in an SFR).

This appears to be directly related to #3 above.

As a user of interpretations, I would like to see very few interpretations. Alternately, I would like very much to see
interpretation products meaningfully classified. This would help reducemy burden, especially as the number of national and international interpretation products increases, of analysis for evaluation projects.

Both the CCEVS interpretations body and the CCIMB want to limit CC and CEM changes. However, we are responding to questions and comments (many arising out of actual evaluations) that point out errors or confusion in the CC and CEM. Identified errors and points of confusion need to be addressed.

This situation is not unlike what existed before the CC. With the US TCSEC, interpretations were being generated on an on-going basis. Every evaluation had to comply with the interpretations that existed at that point. This meant that it was possible for a re-evaluation to fail even though it would have succeeded earlier. Past evaluations were not invalidated, but new evaluations were conducted using the existing interpretations.

Gary

**************************************************************************
* Gary Stoneburner
* Computer Security Division, Systems and Network Security Group
* National Institute of Standards and Technology (NIST)
* 100 Bureau Dr, Stop 8930, Gaithersburg, MD 20899-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
**************************************************************************

Follow-Ups:
- Re: What exactly is being interpreted?
  - From: James Arnold <arnoldj1@saic.com>

References:
- What exactly is being interpreted?
  - From: James Arnold <arnoldj1@saic.com>

Prev by Date: What exactly is being interpreted?
Next by Date: Re: What exactly is being interpreted?
Prev by thread: What exactly is being interpreted?
Next by thread: Re: What exactly is being interpreted?

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov