RE: Possible request for interpretation: low-level design doc questions

["Knoke, Jim" <Jim.Knoke@GetronicsGov.com>]

NIB:
> In cases where both FPT_SEP and FPT_RVM are 
> included in the collection of functional requirements, there 
> doesn't seem to be 
> any difference between TSF and TCB.  

One difference between TCB and TSF might be that the TSF includes test
code and the TCB didn't.

NIB:
> The NIB believes that, once the TSF is identified, then its 
> constituent parts 
> must be described; however, because some parts need only work 
> correctly, 
> the details of those parts need not be as extensive.

I think this is key.

NIB:
> The 
> opposite view, 
> expressed by some on this list, appears to hold that these 
> parts that need 
> only work correctly are not part of the TSF and, therefore, 
> need not be 
> described at all. 

Or is there a middle ground where the CEM directs the evaluators to
certain kinds of analyses on some things outside the TSF?

NIB: 
> The NIB believes 
> that "relied upon" 
> includes all portions of the executing TOE that must operate 
> correctly, rather 
> than only those portions that actively enforce any of the 
> security policies. The 
> NIB has therefore created a queue entry on the phrase "relied 
> upon"; as the 
> entry is developed, we'll explore the varying views to arrive 
> at a community 
> consensus.  

Its almost like we need a third-category of stuff which is "quasi-TSF".
And then don't apply the standard CC assurance and CEM analysis to it,
but define some lesser or alternative assurance and analysis. If done
carefully, I don't think this would measurably reduce the secureness of
the TOE and it will reduce costs to evaluate and therefore encourage
more evaluations.