Re: I-0407: Empty Selections Or Assignments
- Subject: Re: I-0407: Empty Selections Or Assignments
- From: "Interpretations Working Group" <iwg@gibraltar.ncsc.mil>
- Date: Fri, 27 Apr 2001 13:37:56 -0700
- Content-type: Multipart/Mixed; boundary=Message-Boundary-16128
- Priority: normal
[NOTE: This proposal is being re-posted after being updated to reflect
comments the IWG received on its previous posting, or comments arising
from further IWG discussion of the proposal.]
This transaction consists of a proposal for a National Interpretation of
a Common Criteria document. It is being posted in accordance with the
procedures of the IWG.
Comments on this proposal are welcomed and should be posted to this
transaction chain. If any party wishes to post a comment anonymously,
the comment should be mailed to IWG@gibraltar.ncsc.mil in a form
suitable for posting. All comments should be posted no later than
Tuesday, May 29, 2001.
CCITSE/CEM NIAP INTERPRETATION (PROPOSED)
_________________________________________________________________
I-0407: Empty Selections Or Assignments
_________________________________________________________________
TYPE: NIAP Interpretation
NUMBER: I-0407
STATUS: Ready for External Repost after Interpretations Board
Rework/Review
TITLE: Empty Selections Or Assignments
COMMENTS DUE BY: Monday, April 9, 2001 to IWG@gibraltar.ncsc.mil
SOURCE REFERENCE: CC v2.1 Part 1 Subclause 4.4.1
CC v2.1 Part 2 Subclause 3.2 FAU_GEN.1
CC v2.1 Part 2 Subclause 3.3 FAU_SAA.1
CC v2.1 Part 2 Subclause 3.5 FAU_SEL.1
CC v2.1 Part 2 Subclause 3.6 FAU_STG.4
CC v2.1 Part 2 Subclause 3.6 FAU_STG.NIAP-0387-1
CC v2.1 Part 2 Subclause 6.2 FDP_ACF.1
CC v2.1 Part 2 Subclause 6.4 FDP_ETC.2
CC v2.1 Part 2 Subclause 6.6 FDP_IFF
CC v2.1 Part 2 Subclause 6.7 FDP_ITC.2
CC v2.1 Part 2 Subclause C.2 FAU_GEN.1
CC v2.1 Part 2 Subclause C.3 FAU_SAA.1
CC v2.1 Part 2 Subclause C.5 FAU_SEL.1
CC v2.1 Part 2 Subclause C.6 FAU_STG.4
CC v2.1 Part 2 Subclause C.6 FAU_STG.NIAP-0387-1
CC v2.1 Part 2 Subclause F.2 FDP_ACF.1
CC v2.1 Part 2 Subclause F.4 FDP_ETC.2
CC v2.1 Part 2 Subclause F.6 FDP_IFF
CC v2.1 Part 2 Subclause F.7 FDP_ITC.2
RELATED TO: <None>
ISSUE:
CC v2.1 is ambiguous as to whether assignments could be completed by
selecting none, i.e., providing no list. Similarly, it is unclear
whether "none" is available as a selection. In some cases, "none" is
given as an option in the Annex, but not indicated in the normative
portion of Part 2.
STATEMENT
Assignments must be non-empty. The CC must be clear when a null choice
is an appropriate option.
SPECIFIC INTERPRETATION:
To address this interpretation, the following changes are made to CC
v2.1, Part 1: (additions marked _thusly_; deletions marked _[DEL:_
thusly _:DEL]_ )
* Add the following paragraph before paragraph 149 in CC v2.1 Part
1:
Lists used to complete assignments must be non-empty. "None" (or
equivalent wording) is only available as a choice if it is
explicitly provided; furthermore, if the "none" option is chosen,
no additional selection options may be chosen. If "none" is not
given as an option in a selection, it is permissible to combine the
choices in a selection with "and"s and "or"s.
To address this interpretation, the following changes are made to CC
v2.1, Part 2: (additions marked _thusly_; deletions marked _[DEL:_
thusly _:DEL]_ )
* FAU_GEN.1 is relabeled as FAU_GEN.1-NIAP-0407. Unless otherwise
noted in these changes, all normative and informative material
associated with FAU_GEN.1 is incorporated unchanged into
FAU_GEN.1-NIAP-0407, and all references to FAU_GEN.1 in the CC,
CEM, or other Common Criteria documentation are changed to refer
to FAU_GEN.1-NIAP-0407.
* Subclause 3.2, FAU_GEN.1 is modified as follows:
FAU_GEN.1.1_-NIAP-0407_ The TSF shall be able to generate an audit
record of the following auditable events:
a) Start-up and shutdown of the audit functions;
b) All auditable events for the [selection: _minimum, basic,
detailed, not specified_] level of audit; and
c) _[selection:_ [assignment: _other specifically defined auditable
events_]_, "no additional events"]_.
FAU_GEN.1.2_-NIAP-0407_ The TSF shall record within each audit
record at least the following information:
a) Date and time of the event, type of event, subject identity, and
the outcome (success or failure) of the event; and
b) For each audit event time, based on the auditable event
definitions of the functional components included in the PP/ST,
_[selection:_ [assignment: _other audit relevant information]__,
"no other information"]_
* The following is added after Subclause C.2, paragraph 567:
For FAU_GEN.1.1-NIAP-0407c, the PP/ST author should select "no
additional events" if there are no additional events to be audited.
In such a case, the assignment should not be completed.
For FAU_GEN.1.2-NIAP-0407b, the PP/ST author should select "no
other information" if the only information to be recorded is that
listed in item a. In such a case, the assignment should not be
completed.
* Subclause C.2, paragraphs 568 and 569 are modified as follows:
For FAU_GEN.1.1_-NIAP-0407_c, the PP/ST author should assign a list
of other specifically defined auditable events to be included in
the list of auditable events. These events could be auditable
events of a functional requirement that are of higher audit level
than requested in FAU_GEN.1.1b, as well as the events generated
through the use of a specified Application Programming Interface
(API). _This assignment need not be completed if "no additional
events" was selected._
For FAU_GEN.1.2_-NIAP-0407_b, the PP/ST author should assign, for
each auditable events included in the PP/ST, a list of other audit
relevant information to be included in audit event records. _This
assignment need not be completed if "no additional events" was
selected._
* FAU_SAA.1 is relabeled as FAU_SAA.1-NIAP-0407. Unless otherwise
noted in these changes, all normative and informative material
associated with FAU_SAA.1 is incorporated unchanged into
FAU_SAA.1-NIAP-0407, and all references to FAU_SAA.1 in the CC,
CEM, or other Common Criteria documentation are changed to refer
to FAU_SAA.1-NIAP-0407.
* Subclause 3.3, FAU_SAA.1 is modified as follows:
FAU_SAA.1.2_-NIAP-0407_ The TSF shall enforce the following rules
for monitoring audited events:
a) Accumulation or combination of [assignment: _subset of defined
auditable events_] known to indicate a potential security
violation;
b) _[selection:_ [assignment: _any other rules_]_, "no additional
rules"]_
* The following is added after Subclause C.3, paragraph 576:
Selection:
For FAU_SAA.1.2-NIAP-0407b, the PP/ST author should select "no
additional rules" if there are no additional rules to be applied.
In such a case, the assignment should not be completed.
* Subclause C.3, paragraph 577, is modified as follows:
In FAU_SAA.1.2_-NIAP-0407__[DEL:_ . _:DEL]_ b, the PP/ST author
should specify any other rules that the TSF should use in its
analysis of the audit trail. Those rules could include specific
requirements to express the needs for the events to occur in a
certain period of time (e.g. period of the day, duration). _This
assignment need not be completed if "no additional rules" was
selected._
* FAU_SEL.1 is relabeled as FAU_SEL.1-NIAP-0407. Unless otherwise
noted in these changes, all normative and informative material
associated with FAU_SEL.1 is incorporated unchanged into
FAU_SEL.1-NIAP-0407, and all references to FAU_SEL.1 in the CC,
CEM, or other Common Criteria documentation are changed to refer
to FAU_SEL.1-NIAP-0407.
* Subclause 3.5, FAU_SEL.1 is modified as follows:
FAU_SEL.1.1_-NIAP-0407_ The TSF shall be able to include or exclude
auditable events from the set of audited events based on the
following attributes:
a) [selection: _object identity, user identity, subject identity,
host identity, event type_]
b) _[selection:_ [assignment: _list of additional attributes that
audit selectivity is based upon_]_, "no additional attributes"]_
* The following is added after Subclause C.5, paragraph 624:
For FAU_SEL.1.1-NIAP-0407b, the PP/ST author should select "no
additional attributes" if there are no additional attributes upon
which audit selectivity is based. In such a case, the assignment
should not be completed.
* Subclause C.5, paragraph 625, is modified as follows:
For FAU_SEL.1.1_-NIAP-0407_b, the PP/ST author should specify any
additional attributes upon which audit selectivity is based. _This
assignment should not be completed if "no additional attributes"
was selected._
* FAU_STG.4-NIAP-0387 is relabeled as FAU_STG.4-NIAP-0407. Unless
otherwise noted in these changes, all normative and informative
material associated with FAU_STG.4-NIAP-0387 is incorporated
unchanged into FAU_STG.4-NIAP-0407, and all references to
FAU_STG.4-NIAP-0387 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FAU_STG.4-NIAP-0407.
* Subclause 3.6, FAU_STG.4-NIAP-0387 is modified as follows:
FAU_STG.4.1-NIAP-0407 The TSF shall [selection: _"ignore auditable
events", "prevent auditable events, except those taken by the
authorised user with special rights", "overwrite the oldest stored
audit records"_] and _[selection:_ [assignment: _other actions to
be taken in case of audit storage failure_]_, "take no other
actions"]_ if the audit trail is full.
* The following is added after Subclause C.6, paragraph 639:
For FAU_STG.4-NIAP-0407.1, the PP/ST author should select "take no
other actions" if there are no additional actions to be taken when
the audit trail is full. In such a case, the assignment should not
be completed.
* Subclause C.6, paragraph 640, is modified as follows:
In FAU_STG.4.1-_[DEL:_ 0387 _:DEL]_ _0407_, the PP/ST author should
specify other actions that should be taken in case of audit storage
failure, such as informing the authorised user. _This assignment
should not be completed if "take no other actions" was selected._
* FAU_STG.NIAP-0387-1 is relabeled as FAU_STG.NIAP-0407-1. Unless
otherwise noted in these changes, all normative and informative
material associated with FAU_STG.NIAP-0387-1 is incorporated
unchanged into FAU_STG.NIAP-0407-1, and all references to
FAU_STG.NIAP-0387-1 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FAU_STG.NIAP-0407-1.
* Subclause 3.6, FAU_STG.NIAP-0387-1 is modified as follows:
FAU_STG.NIAP-0387-1.1-NIAP-0407. The TSF shall provide an
authorised administrator with the capability to select one or more
of the following actions [selection: _"ignore auditable events",
"prevent auditable events, except those taken by the authorised
user with special rights", "overwrite the oldest stored audit
records"_] and _[selection:_ [assignment: _other actions to be
taken in case of audit storage failure_]_, "no additional options"]_
to be taken if the audit trail is full.
FAU_STG.NIAP-0387-1.2-NIAP-0407 The TSF shall [selection: _"ignore
auditable events", "prevent auditable events, except those taken by
the authorised user with special rights", "overwrite the oldest
stored audit records"_] and _[selection:_ [assignment: _other
actions to be taken in case of audit storage failure_]_, "take no
other actions"]_ if the audit trail is full.
* The following is added in Subclause C.6, in the annex text for
FAU_STG.NIAP-0387-1, in the "Operations" section, in the
"Selection:" subsection, after the first paragraph:
For FAU_STG.NIAP-0387-1.1-NIAP-0407, the PP/ST author should select
"no additional options" if there are no additional options to be
provided to an authorised user. In such a case, the assignment
should not be completed.
* The following is added in Subclause C.6, in the annex text for
FAU_STG.NIAP-0387-1, in the "Operations" section, in the
"Selection:" subsection, after the last paragraph:
For FAU_STG.NIAP-0387-1.2-NIAP-0407, the PP/ST author should select
"take no other actions" if there are no additional actions to be
taken when the audit trail is full. In such a case, the assignment
should not be completed.
* In Subclause C.6, in the annex text for FAU_STG.NIAP-0387-1, in
the "Operations" section, the "Assignment" text is modified as
follows:
In FAU_STG.NIAP-0387-1.1_-NIAP-0407_, the PP/ST author should
specify other actions that should be taken in case of audit storage
failure, such as informing an authorized user. _This assignment
should not be completed if "no additional options" was selected._
In FAU_STG.NIAP-0387-1.2_-NIAP-0407_, the PP/ST author should
specify other actions that should be taken in case of audit storage
failure when no action has been selected, such as informing the
authorized user. _This assignment should not be completed if "take
no other actions" was selected._
* FDP_ACF.1-NIAP-0416 is relabeled as FDP_ACF.1-NIAP-0407. Unless
otherwise noted in these changes, all normative and informative
material associated with FDP_ACF.1-NIAP-0416 is incorporated
unchanged into FDP_ACF.1-NIAP-0407, and all references to
FDP_ACF.1-NIAP-0416 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FDP_ACF.1-NIAP-0407.
* Subclause 6.2, FDP_ACF.1-NIAP-0416 is modified as follows:
FDP_ACF.1.3_-NIAP-0407_ The TSF shall explicitly authorise access
of subjects to objects based on the following additional rules:
_[selection:_ [assignment: _rules, based on security attributes,
that explicitly authorise access of subjects to objects_]_, "no
additional rules"]_
FDP_ACF.1.4_-NIAP-0407_ The TSF shall explicitly deny access of
subjects to objects based on the _following rules:_ _[selection:_
[assignment: _rules, based on security attributes, that explicitly
deny access of subjects to objects_]_, "no additional explicit
denial rules"]_
* In Subclause F.2, the following is added after the "Operations"
subheader after paragraph 761:
Selection:
For FDP_ACF.1.3-NIAP-0407, the PP/ST author should select "no
additional rules" if there are no additional rules used to
explicitly authorise access. In such a case, the assignment should
not be completed.
For FDP_ACF.1.4-NIAP-0407, the PP/ST author should select "no
additional explicit denial rules" if there are no additional rules
used to explicitly denial access. In such a case, the assignment
should not be completed.
* Subclause F.2, paragraph 765 and 766, are modified as follows:
In FDP_ACF.1.3_-NIAP-0407_, the PP/ST author should specify the
rules, based on security attributes, that explicitly authorise
access of subjects to objects that will be used to explicitly
authorise access. These rules are in addition to those specified in
FDP_ACF.1.1. They are included in FDP_ACF.1.3 as they are intended
to contain exceptions to the rules in FDP_ACF.1.1. An example of
rules to explicitly authorise access is based on a privilege vector
associated with a subject that always grants access to objects
covered by the access control SFP that has been specified. If such
a capability is not desired, then the PP/ST author should _select_
_[DEL:_ specify "none" _:DEL]_ _"no additional rules" instead_.
In FDP_ACF.1.4_-NIAP-0407_, the PP/ST author should specify the
rules, based on security attributes, that explicitly deny access of
subjects to objects. These rules are in addition to those specified
in FDP_ACF.1.1. They are included in FDP_ACF.1.4 as they are
intended to contain exceptions to the rules in FDP_ACF.1.1. An
example of rules to explicitly deny access is based on a privilege
vector associated with a subject that always denies access to
objects covered by the access control SFP that has been specified.
If such a capability is not desired, then the PP/ST author should
_select_ _[DEL:_ specify "none" _:DEL]_ _"no additional explicit
denial rules" instead_.
* FDP_ETC.2 is relabeled as FDP_ETC.2-NIAP-0407. Unless otherwise
noted in these changes, all normative and informative material
associated with FDP_ETC.2 is incorporated unchanged into
FDP_ETC.2-NIAP-0407, and all references to FDP_ETC.2 in the CC,
CEM, or other Common Criteria documentation are changed to refer
to FDP_ETC.2-NIAP-0407.
* Subclause 6.4, FDP_ETC.2 is modified as follows:
FDP_ETC.2.4_-NIAP-0407_ The TSF shall enforce the following rules
when user data is exported from the TSC: _[selection:_ [assignment:
_additional exportation control rules_]_, "no additional rules"]_
* In subclause F.4, the following is added after the "Operations"
subheader after paragraph 783:
Selection:
For FDP_ETC.2.4-NIAP-0407, the PP/ST author should select "no
additional rules" if there are no additional exportation control
rules. In such a case, the assignment should not be completed.
* Subclause F.4, paragraph 784, is modified as follows:
In FDP_ETC.2.4_-NIAP-0407_, the PP/ST author should specify any
additional exportation control rules _[DEL:_ or "none" if there are
no additional exportation control rules _:DEL]_ . These rules will
be enforced by the TSF in addition to the access control SFPs
and/or information flow control SFPs selected in FDP_ETC.2.1. _This
assignment should not be completed if "no additional rules" was
selected._
* FDP_IFF.1-NIAP-0417 is relabeled as FDP_IFF.1-NIAP-0407. Unless
otherwise noted in these changes, all normative and informative
material associated with FDP_IFF.1-NIAP-0417 is incorporated
unchanged into FDP_IFF.1-NIAP-0407, and all references to
FDP_IFF.1-NIAP-0417 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FDP_IFF.1-NIAP-0407.
* Subclause 6.6, FDP_IFF.1 is modified as follows:
FDP_IFF.1.3_-NIAP-0407_ The TSF shall enforce the _following
information flow control rules: [selection:_ [assignment:
_additional information flow control SFP rules_]_, "no additional
information flow control SFP rules"]_
FDP_IFF.1.4_-NIAP-0407_ The TSF shall provide the following
_[selection:_ [assignment: _list of additional SFP capabilities_]_,
"no additional SFP capabilities"]_
FDP_IFF.1.5_-NIAP-0407_ The TSF shall explicitly authorise an
information flow based on the following rules: _[selection:_
[assignment: _rules, based on security attributes, that explicitly
authorise information flows_]_, "no explicit authorisation rules"]_
FDP_IFF.1.6_-NIAP-0407_ The TSF shall explicitly deny an
information flow based on the following rules: _[selection:_
[assignment: _rules, based on security attributes, that explicitly
deny information flows_]_, "no explicit denial rules"]_
* In subclause F.6, the following is added after the "Operations"
subheader after paragraph 808:
Selection:
For FDP_IFF.1.3-NIAP-0407, the PP/ST author should select "no
additional information flow control SFP rules" if there are no
additional rules. In such a case, the assignment should not be
completed.
For FDP_IFF.1.4-NIAP-0407, the PP/ST author should select "no
additional SFP capabilities" if there are no additional
capabilities to be provided by the TOE for the SFP. In such a case,
the assignment should not be completed.
For FDP_IFF.1.5-NIAP-0407, the PP/ST author should select "no
explicit authorisation rules" if there are no additional rules that
govern authorisation. In such a case, the assignment should not be
completed.
For FDP_IFF.1.6-NIAP-0407, the PP/ST author should select "no
explicit denial rules" if there are no additional rules that govern
denial. In such a case, the assignment should not be completed.
* Subclause F.6, paragraphs 812 through 815 are modified as follows:
In FDP_IFF.1.3_-NIAP-0407_ the PP/ST author should specify any
additional information flow control SFP rules that the TSF is to
enforce. If there are no additional rules then the PP/ST author
should _[DEL:_ specify "none" _:DEL]_ _select "no additional
information flow control SFP rules" instead, in which case this
assignment should not be completed_.
In FDP_IFF.1.4_-NIAP-0407_ the PP/ST author should specify any
additional SFP capabilities that the TSF is to provide. If there
are no additional capabilities then the PP/ST author should _[DEL:_
specify "none" _:DEL]_ _select "no additional SFP capabilities"
instead, in which case this assignment should not be completed_.
In FDP_IFF.1.5_-NIAP-0407_, the PP/ST author should specify the
rules, based on security attributes, that explicitly authorise
information flows. These rules are in addition to those specified
in the preceding elements. They are included in FDP_IFF.1.5 as they
are intended to contain exceptions to the rules in the preceding
elements. An example of rules to explicitly authorise information
flows is based on a privilege vector associated with a subject that
always grants the subject the ability to cause an information flow
for information that is covered by the SFP that has been specified.
If such a capability is not desired, then the PP/ST author should
_[DEL:_ specify "none" _:DEL]_ _select "no explicit authorisation
rules" instead, in which case this assignment should not be
completed_.
In FDP_IFF.1.6_-NIAP-0407_, the PP/ST author should specify the
rules, based on security attributes, that explicitly deny
information flows. These rules are in addition to those specified
in the preceding elements. They are included in FDP_IFF.1.6 as they
are intended to contain exceptions to the rules in the preceding
elements. An example of rules to explicitly authorise information
flows is based on a privilege vector associated with a subject that
always denies the subject the ability to cause an information flow
for information that is covered by the SFP that has been specified.
If such a capability is not desired, then the PP/ST author should
_[DEL:_ specify "none" _:DEL]_ _select "no explicit denial rules"
instead, in which case this assignment should not be completed_.
* FDP_IFF.2-NIAP-0417 is relabeled as FDP_IFF.2-NIAP-0407. Unless
otherwise noted in these changes, all normative and informative
material associated with FDP_IFF.2-NIAP-0417 is incorporated
unchanged into FDP_IFF.2-NIAP-0407, and all references to
FDP_IFF.2-NIAP-0417 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FDP_IFF.2-NIAP-0407.
* Subclause 6.6, FDP_IFF.2 is modified as follows:
FDP_IFF.2.3_-NIAP-0407_ The TSF shall enforce the _following
information flow control rules: [selection:_ [assignment:
_additional information flow control SFP rules_]_, "no additional
information flow control SFP rules"]_
FDP_IFF.2.4_-NIAP-0407_ The TSF shall provide the following
_[selection:_ [assignment: _list of additional SFP capabilities_]_,
"no additional SFP capabilities"]_
FDP_IFF.2.5_-NIAP-0407_ The TSF shall explicitly authorise an
information flow based on the following rules: _[selection:_
[assignment: _rules, based on security attributes, that explicitly
authorise information flows_]_, "no explicit authorisation rules"]_
FDP_IFF.2.6_-NIAP-0407_ The TSF shall explicitly deny an
information flow based on the following rules: _[selection:_
[assignment: _rules, based on security attributes, that explicitly
deny information flows_]_, "no explicit denial rules"]_
* In subclause F.6, the following is added after the "Operations"
subheader after paragraph 822:
Selection:
For FDP_IFF.2.3-NIAP-0407, the PP/ST author should select "no
additional information flow control SFP rules" if there are no
additional rules. In such a case, the assignment should not be
completed.
For FDP_IFF.2.4-NIAP-0407, the PP/ST author should select "no
additional SFP capabilities" if there are no additional
capabilities to be provided by the TOE for the SFP. In such a case,
the assignment should not be completed.
For FDP_IFF.2.5-NIAP-0407, the PP/ST author should select "no
explicit authorisation rules" if there are no additional rules that
govern authorisation. In such a case, the assignment should not be
completed.
For FDP_IFF.2.6-NIAP-0407, the PP/ST author should select "no
explicit denial rules" if there are no additional rules that govern
denial. In such a case, the assignment should not be completed.
* Subclause F.6, paragraphs 824 through 827 are modified as follows:
In FDP_IFF.2.3_-NIAP-0407_ the PP/ST author should specify any
additional information flow control SFP rules that the TSF is to
enforce. If there are no additional rules then the PP/ST author
should _[DEL:_ specify "none" _:DEL]_ _select "no additional
information flow control SFP rules" instead, in which case this
assignment should not be completed_.
In FDP_IFF.2.4_-NIAP-0407_ the PP/ST author should specify any
additional SFP capabilities that the TSF is to provide. If there
are no additional capabilities then the PP/ST author should _[DEL:_
specify "none" _:DEL]_ _select "no additional SFP capabilities"
instead, in which case this assignment should not be completed_.
In FDP_IFF.2.5_-NIAP-0407_, the PP/ST author should specify the
rules, based on security attributes, that explicitly authorise
information flows. These rules are in addition to those specified
in the preceding elements. They are included in FDP_IFF.2.5 as they
are intended to contain exceptions to the rules in the preceding
elements. An example of rules to explicitly authorise information
flows is based on a privilege vector associated with a subject that
always grants the subject the ability to cause an information flow
for information that is covered by the SFP that has been specified.
If such a capability is not desired, then the PP/ST author should
_[DEL:_ specify "none" _:DEL]_ _select "no explicit authorisation
rules" instead, in which case this assignment should not be
completed_.
In FDP_IFF.2.6_-NIAP-0407_, the PP/ST author should specify the
rules, based on security attributes, that explicitly deny
information flows. These rules are in addition to those specified
in the preceding elements. They are included in FDP_IFF.2.6 as they
are intended to contain exceptions to the rules in the preceding
elements. An example of rules to explicitly authorise information
flows is based on a privilege vector associated with a subject that
always denies the subject the ability to cause an information flow
for information that is covered by the SFP that has been specified.
If such a capability is not desired, then the PP/ST author should
_[DEL:_ specify "none" _:DEL]_ _select "no explicit denial rules"
instead, in which case this assignment should not be completed_.
* FDP_ITC.1 is relabeled as FDP_ITC.1-NIAP-0407. Unless otherwise
noted in these changes, all normative and informative material
associated with FDP_ITC.1 is incorporated unchanged into
FDP_ITC.1-NIAP-0407, and all references to FDP_ITC.1 in the CC,
CEM, or other Common Criteria documentation are changed to refer
to FDP_ITC.1-NIAP-0407.
* Subclause 6.7, FDP_ITC.1 is modified as follows:
FDP_ITC.1.3_-NIAP-0407_ The TSF shall enforce the following rules
when importing user data controlled under the SFP from outside the
TSC: _[selection:_ [assignment: _additional importation control
rules_]_, "no additional rules"]_
* In subclause F.7, the following is added after the "Operations"
subheader after paragraph 855:
Selection:
For FDP_ITC.1.3-NIAP-0407, the PP/ST author should select "no
additional rules" if there are no additional importation control
rules. In such a case, the assignment should not be completed.
* Subclause F.7, paragraph 857, is modified as follows:
In FDP_ITC.1.3_-NIAP-0407_, the PP/ST author should specify any
additional importation control rules or _[DEL:_ "none" _:DEL]_
_select "no additional rules"_ if there are no additional
importation control rules. These rules will be enforced by the TSF
in addition to the access control SFPs and/or information flow
control SFPs selected in FDP_ITC.1.1. _This assignment should not
be completed if "no additional rules" was selected._
* FDP_ITC.2 is relabeled as FDP_ITC.2-NIAP-0407. Unless otherwise
noted in these changes, all normative and informative material
associated with FDP_ITC.2 is incorporated unchanged into
FDP_ITC.2-NIAP-0407, and all references to FDP_ITC.2 in the CC,
CEM, or other Common Criteria documentation are changed to refer
to FDP_ITC.2-NIAP-0407.
* Subclause 6.7, FDP_ITC.2 is modified as follows:
FDP_ITC.2.5_-NIAP-0407_ The TSF shall enforce the following rules
when importing user data controlled under the SFP from outside the
TSC: _[selection:_ [assignment: _additional importation control
rules_]_, "no additional importation rules"]_
* In subclause F.7, the following is added after the "Operations"
subheader after paragraph 858:
Selection:
For FDP_ITC.2.5-NIAP-0407, the PP/ST author should select "no
additional importation rules" if there are no additional
importation rules. In such a case, the assignment should not be
completed.
* Subclause F.7, paragraph 860, is modified as follows:
In FDP_ITC.2.5_-NIAP-0407_, the PP/ST author should specify any
additional importation control rules or _[DEL:_ "none" _:DEL]_
_select "no additional importation rules_ if there are no
additional importation rules. These rules will be enforced by the
TSF in addition to the access control SFPs and/or information flow
control SFPs selected in FDP_ITC.2.1. _This assignment should not
be completed if "no additional rules" was selected._
PROJECTED IMPACT:
Negligible impact anticipated.
SUPPORT:
_This interpretation should not be approved until I-0414 is approved._
_This interpretation could be effected by CCIMB-INTERP-0019, based on
the proposed changes detailed in the Latest Draft_
This interpretation eliminates the confusion in the ISSUE by only
permitting "none" where explicitly specified.
The list of elements for which "none" is acceptable was determined by
examining all assignments and selections in the functional
requirements in CC v2.1 and the CC Part 2 annexes, and seeing if (a)
the annex indicated that "none" was an appropriate option, or (b) if
an assignment or selection of "none" (or equivalent wording, such as
"no action") resulted in a requirement that made sense.
The approach taken in dealing with ambiguous assignments is to place
the assignments in a selection, with the null option included as the
last selection. An alternative approach would have been a single
assignment with "or 'none'", but the approach taken was felt to be
more in line with the style of the CC.
This interpretation has an effect on all elements that contain
assignments or selections. Specifically, it prohibits "none" (or
equivalent) unless the option is explicit, and clarifies the use of
the selection operator to indicate how multiple options may be
combined. For those components drawn from the CC, it is expected that
this change only codifies existing practice. Explicitly stated
elements containing assignments and selections in PPs and STs should
be examined to determine if "none" should be provided as an explicit
option, or if there should be stated restrictions on the combinations
of options in a selection.
Note: This interpretation is being applied to the CC as modified by
I-0387, I-0414, I-0416, and I-0417.
0407-np.pdf
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov