I-0460: Empty Selections Or Assignments/One Or More
- Subject: I-0460: Empty Selections Or Assignments/One Or More
- From: "NIAP Interpretations Board" <ccevs-nib@nist.gov>
- Date: Wed, 10 Jul 2002 11:44:34 -0700
- Content-description: Mail message body
- Content-transfer-encoding: 7BIT
- Content-type: text/plain; charset=US-ASCII
- Priority: normal
- Reply-to: cc-cmt@nist.gov
[NOTE: This proposal is being re-posted after being updated to reflect
comments the IWG received on its previous posting, or comments arising
from further IWG discussion of the proposal.]
This transaction consists of a proposal for a NIAP Interpretation of a
Common Criteria document. It is being posted in accordance with the
procedures of the IWG.
Comments on this proposal are welcomed and should be posted to this
transaction chain. If any party wishes to post a comment anonymously,
the comment should be mailed to ccevs-cmt@nist.gov in a form suitable
for posting. All comments should be posted no later than Monday, August
5, 2002.
CCITSE/CEM NIAP INTERPRETATION (PROPOSED)
________________________________________________________________
_
I-0460: Empty Selections Or Assignments/One Or More
________________________________________________________________
_
TYPE: NIAP Interpretation
NUMBER: I-0460
STATUS: Reposted for External Review
TITLE: Empty Selections Or Assignments/One Or More
WOULD SUPERSEDE:
I-0407 Empty Selections Or Assignments
I-0429 Selecting One Or More
PREVIOUS POSTING: _No posting_
PREVIOUS POSTING: _No posting_
COMMENTS DUE BY: Monday, August 5, 2002 to ccevs-cmt@nist.gov
SOURCE REFERENCE: CC v2.1 Part 1 Subclause 4.4.1
CC v2.1 Part 2 Subclause 3.2 FAU_GEN.1
CC v2.1 Part 2 Subclause 3.3 FAU_SAA.1
CC v2.1 Part 2 Subclause 3.5 FAU_SEL.1
CC v2.1 Part 2 Subclause 3.6 FAU_STG.1
CC v2.1 Part 2 Subclause 3.6 FAU_STG.2
CC v2.1 Part 2 Subclause 3.6 FAU_STG.4
CC v2.1 Part 2 Subclause 3.NIAP-0414 FAU_STG.NIAP-0414-
1
CC v2.1 Part 2 Subclause 6.2 FDP_ACF.1
CC v2.1 Part 2 Subclause 6.4 FDP_ETC.2
CC v2.1 Part 2 Subclause 6.6 FDP_IFF
CC v2.1 Part 2 Subclause 6.7 FDP_ITC.2
CC v2.1 Part 2 Subclause 8.2 FMT_MSA.3
CC v2.1 Part 2 Subclause 9.2 FPR_PSE.1
CC v2.1 Part 2 Subclause 9.2 FPR_PSE.2
CC v2.1 Part 2 Subclause 9.2 FPR_PSE.3
CC v2.1 Part 2 Subclause C.2 FAU_GEN.1
CC v2.1 Part 2 Subclause C.3 FAU_SAA.1
CC v2.1 Part 2 Subclause C.5 FAU_SEL.1
CC v2.1 Part 2 Subclause C.6 FAU_STG.1
CC v2.1 Part 2 Subclause C.6 FAU_STG.2
CC v2.1 Part 2 Subclause C.6 FAU_STG.4
CC v2.1 Part 2 Subclause C.6 FAU_STG.NIAP-0414-1
CC v2.1 Part 2 Subclause F.2 FDP_ACF.1
CC v2.1 Part 2 Subclause F.4 FDP_ETC.2
CC v2.1 Part 2 Subclause F.6 FDP_IFF
CC v2.1 Part 2 Subclause F.7 FDP_ITC.2
CC v2.1 Part 2 Subclause H.2 FMT_MSA.3
CC v2.1 Part 2 Subclause I.2 FPR_PSE.1
CC v2.1 Part 2 Subclause I.2 FPR_PSE.2
CC v2.1 Part 2 Subclause I.2 FPR_PSE.3
RELATED TO:
I-0407 Empty Selections Or Assignments
I-0429 Selecting One Or More
I-0414 Site-Configurable Prevention Of Audit Loss
I-0387 Auditing Of Audit Storage Failures
CCIMB ENTRY: CCIMB-INTERP-0200
ISSUE:
CC v2.1 is ambiguous as to whether assignments could be completed by
selecting none, i.e., providing no list. Similarly, it is unclear
whether "none" is available as a selection. In some cases, "none" is
given as an option in the Annex, but not indicated in the normative
portion of Part 2. Additionally, it is unclear if, in a selection
operation, selection of multiple items is permissible.
STATEMENT
Assignments must be non-empty. The CC must be clear when a null choice
is an appropriate option. Additionally, unless otherwise stated,
multiple items in a selection may be selected. Cases where only a
specific number of items may be selected must be explicit.
SPECIFIC INTERPRETATION
_Note: The current wording of the changes for I-0460 make the
following presumptions: As I-0407 and I-0429 are being superseded, it
is as if those changes were never made. Further, this interpretation
presumes that it will be approved before I-0387, as I-0387 was
returned for rework. If the latter assumption changes, this
interpretation will need to be modified to reflect changes to the
criteria as modified by I-0387, not I-0414._
To address this interpretation, the following changes are made to CC
v2.1, Part 1, as modified by CCIMB-INTERP-0019: (additions marked
_thusly_; deletions marked _[DEL:_ thusly _:DEL]_ )
* After the 2nd paragraph under Assignment in the new text from
CCIMB-INTERP-0019, add:
Lists used to complete assignments must be non-empty unless an
empty assignment is explicitly permitted (e.g., "none").
* After the only paragraph under Selection in the new text from
CCIMB-INTERP-0019, add:
"None" (or equivalent wording) is only available as a choice if it
is explicitly provided; furthermore, if the "none" option is
chosen, no additional selection options may be chosen. If "none"
is not given as an option in a selection, it is permissible to
combine the choices in a selection with "and"s and "or"s, unless
the selection explicitly states "choose one of" (or equivalent
wording).
[Note: The remainer of these changes are exactly the same as in I-0407
and I-0429, with interpretation numbers changed. For simplicity for
the reader, the full names of the I-0407 versions or I-0429 (e.g.,
"-NIAP-0407") are not shown.]
To address this interpretation, the following changes are made to CC
v2.1, Part 2: (additions marked _thusly_; deletions marked _[DEL:_
thusly _:DEL]_ )
* FAU_GEN.1 is relabeled as FAU_GEN.1-NIAP-0460. Unless otherwise
noted in these changes, all normative and informative material
associated with FAU_GEN.1 is incorporated unchanged into
FAU_GEN.1-NIAP-0460, and all references to FAU_GEN.1 in the CC,
CEM, or other Common Criteria documentation are changed to refer
to FAU_GEN.1-NIAP-0460.
* Subclause 3.2, FAU_GEN.1 is modified as follows:
FAU_GEN.1.1_-NIAP-0460_ The TSF shall be able to generate an audit
record of the following auditable events:
a) Start-up and shutdown of the audit functions;
b) All auditable events for the [selection: _choose one of:
minimum, basic, detailed, not specified_] level of audit; and
c) _[selection: choose one of:_ [assignment: _other specifically
defined auditable events_]_, "no additional events"]_.
FAU_GEN.1.2_-NIAP-0460_ The TSF shall record within each audit
record at least the following information:
a) Date and time of the event, type of event, subject identity, and
the outcome (success or failure) of the event; and
b) For each audit event time, based on the auditable event
definitions of the functional components included in the PP/ST,
_[selection:_ [assignment: _other audit relevant information]__, "no
other information"]_
* The following is added after Subclause C.2, paragraph 567:
For FAU_GEN.1.1_-NIAP-0460_b, the PP/ST author should select the
level of auditable events called out in the audit section of other
functional components included in the PP/ST. This level _[DEL:_
could be _:DEL]_ _is one of the following:_ "minimum", "basic",
"detailed" or "not specified". _[DEL:_ If "not specified" is
selected, the PP/ ST author should fill in all desired auditable
events in FAU_GEN.1.1c, and this part of the element (item b) can
be removed entirely. _:DEL]_
For FAU_GEN.1.1-NIAP-0460c, the PP/ST author should select "no
additional events" if there are no additional events to be audited.
In such a case, the assignment should not be completed.
For FAU_GEN.1.2-NIAP-0460b, the PP/ST author should select "no
other information" if the only information to be recorded is that
listed in item a. In such a case, the assignment should not be
completed.
* Subclause C.2, paragraphs 568 and 569 are modified as follows:
For FAU_GEN.1.1_-NIAP-0460_c, the PP/ST author should assign a list
of other specifically defined auditable events to be included in
the list of auditable events. These events could be auditable
events of a functional requirement that are of higher audit level
than requested in FAU_GEN.1.1b, as well as the events generated
through the use of a specified Application Programming Interface
(API). _This assignment need not be completed if "no additional
events" was selected._
For FAU_GEN.1.2_-NIAP-0460_b, the PP/ST author should assign, for
each auditable events included in the PP/ST, a list of other audit
relevant information to be included in audit event records. _This
assignment need not be completed if "no additional events" was
selected._
* FAU_SAA.1 is relabeled as FAU_SAA.1-NIAP-0460. Unless otherwise
noted in these changes, all normative and informative material
associated with FAU_SAA.1 is incorporated unchanged into
FAU_SAA.1-NIAP-0460, and all references to FAU_SAA.1 in the CC,
CEM, or other Common Criteria documentation are changed to refer
to FAU_SAA.1-NIAP-0460.
* Subclause 3.3, FAU_SAA.1 is modified as follows:
FAU_SAA.1-_NIAP-0460_.2 The TSF shall enforce the following rules
for monitoring audited events:
a) Accumulation or combination of [assignment: _subset of defined
auditable events_] known to indicate a potential security
violation;
b) _[selection:_ [assignment: _any other rules_]_, "no additional
rules"]_
* The following is added after Subclause C.3, paragraph 576:
Selection:
For FAU_SAA.1.2-NIAP-0460b, the PP/ST author should select "no
additional rules" if there are no additional rules to be applied.
In such a case, the assignment should not be completed.
* Subclause C.3, paragraph 577, is modified as follows:
In FAU_SAA.1.2_-NIAP-0460__[DEL:_ . _:DEL]_ b, the PP/ST author
should specify any other rules that the TSF should use in its
analysis of the audit trail. Those rules could include specific
requirements to express the needs for the events to occur in a
certain period of time (e.g. period of the day, duration). _This
assignment need not be completed if "no additional rules" was
selected._
* FAU_SEL.1 is relabeled as FAU_SEL.1-NIAP-0460. Unless otherwise
noted in these changes, all normative and informative material
associated with FAU_SEL.1 is incorporated unchanged into
FAU_SEL.1-NIAP-0460, and all references to FAU_SEL.1 in the CC,
CEM, or other Common Criteria documentation are changed to refer
to FAU_SEL.1-NIAP-0460.
* Subclause 3.5, FAU_SEL.1 is modified as follows:
FAU_SEL.1.1_-NIAP-0460_ The TSF shall be able to include or exclude
auditable events from the set of audited events based on the
following attributes:
a) [selection: _object identity, user identity, subject identity,
host identity, event type_]
b) _[selection:_ [assignment: _list of additional attributes that
audit selectivity is based upon_]_, "no additional attributes"]_
* The following is added after Subclause C.5, paragraph 624:
For FAU_SEL.1.1-NIAP-0460b, the PP/ST author should select "no
additional attributes" if there are no additional attributes upon
which audit selectivity is based. In such a case, the assignment
should not be completed.
* Subclause C.5, paragraph 625, is modified as follows:
For FAU_SEL.1.1_-NIAP-0460_b, the PP/ST author should specify any
additional attributes upon which audit selectivity is based. _This
assignment should not be completed if "no additional attributes"
was selected._
* FAU_STG.1-NIAP-0423 is relabeled as FAU_STG.1-NIAP-0460. Unless
otherwise noted in these changes, all normative and informative
material associated with FAU_STG.1-NIAP-0423 is incorporated
unchanged into FAU_STG.1-NIAP-0460, and all references to
FAU_STG.1-NIAP-0423 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FAU_STG.1-NIAP-0460.
* Subclause 3.6, FAU_STG.1-NIAP-0460 is modified as follows:
FAU_STG.1.2-NIAP-_[DEL:_ 0423 _:DEL]_ _0460_ The TSF shall be able
to [_selection: choose one of: prevent, detect_] modifications to
the audit records in the audit trail.
* Subclause C.6, paragraph 629, is modified as follows:
In FAU_STG.1.2-NIAP-_[DEL:_ 0423 _:DEL]_ _0460_, the PP/ST author
should specify whether the TSF shall prevent or only be able to
detect modifications of the audit trail. _Only one of these options
may be chosen._
* FAU_STG.2-NIAP-0423 is relabeled as FAU_STG.2-NIAP-0460. Unless
otherwise noted in these changes, all normative and informative
material associated with FAU_STG.2-NIAP-0423 is incorporated
unchanged into FAU_STG.2-NIAP-0460, and all references to
FAU_STG.2-NIAP-0423 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FAU_STG.2-NIAP-0460.
* Subclause 3.6, FAU_STG.2-NIAP-0460 is modified as follows:
FAU_STG.2.2-NIAP-_[DEL:_ 0423 _:DEL]_ _0460_ The TSF shall be able
to [_selection: choose one of: prevent, detect_] modifications to
the audit records in the audit trail.
* Subclause C.6, paragraph 632, is modified as follows:
In FAU_STG.2.2-NIAP-_[DEL:_ 0423 _:DEL]_ _0460_, the PP/ST author
should specify whether the TSF shall prevent or only be able to
detect modifications of the audit trail. _Only one of these options
may be chosen._
* FAU_STG.4 is relabeled as FAU_STG.4-NIAP-0460. Unless otherwise
noted in these changes, all normative and informative material
associated with FAU_STG.4 is incorporated unchanged into
FAU_STG.4-NIAP-0460, and all references to FAU_STG.4 in the CC,
CEM, or other Common Criteria documentation is changed to refer to
FAU_STG.4-NIAP-0460.
* Subclause 3.6, FAU_STG.4 is modified as follows:
FAU_STG.4.1_-NIAP-0460_ The TSF shall [selection: _choose one of:_
_"ignore auditable events", "prevent auditable events, except those
taken by the authorised user with special rights", "overwrite the
oldest stored audit records"_] and _[selection:_ [assignment:
_other actions to be taken in case of audit storage failure_]_,
"take no other actions"]_ if the audit trail is full.
* Subclause C.6, FAU_STG.4-NIAP-0460, paragraph 639 is modified as
follows:
In FAU_STG.4_-NIAP-0460_.1, the PP/ST author should select whether
the TSF shall ignore auditable actions, or whether it should
prevent auditable actions from happening, or whether the oldest
audit records should be overwritten when the TSF can no longer
store audit records. _Only one of these may be chosen for automatic
action by the TSF, as choosing more than one would create a
contradiction._
* The following is added after Subclause C.6, paragraph 639:
For FAU_STG.4-NIAP-0460.1, the PP/ST author should select "take no
other actions" if there are no additional actions to be taken when
the audit trail is full. In such a case, the assignment should not
be completed.
* Subclause C.6, paragraph 640, is modified as follows:
In FAU_STG.4.1-_NIAP-0460_, the PP/ST author should specify other
actions that should be taken in case of audit storage failure, such
as informing the authorised user. _This assignment should not be
completed if "take no other actions" was selected._
* Subclause 3.6, FAU_STG.NIAP-0414-1 is modified as follows:
FAU_STG.NIAP-0414-1.1-NIAP-0460. The TSF shall provide an
authorised administrator with the capability to select one or more
of the following actions [selection: _"ignore auditable events",
"prevent auditable events, except those taken by the authorised
user with special rights", "overwrite the oldest stored audit
records"_] and _[selection:_ [assignment: _other actions to be
taken in case of audit storage failure_]_, "no additional options"]_
to be taken if the audit trail is full.
FAU_STG.NIAP-0414-1.2-NIAP-0460 The TSF shall [selection: _choose
one of:_ _"ignore auditable events", "prevent auditable events,
except those taken by the authorised user with special rights",
"overwrite the oldest stored audit records"_] and _[selection:_
[assignment: _other actions to be taken in case of audit storage
failure_]_, "take no other actions"]_ if the audit trail is full.
* The following is added in Subclause C.6, in the annex text for
FAU_STG.NIAP-0414-1, in the "Operations" section, in the
"Selection:" subsection, after the first paragraph:
For FAU_STG.NIAP-0414-1.1-NIAP-0460, the PP/ST author should select
"no additional options" if there are no additional options to be
provided to an authorised user. In such a case, the assignment
should not be completed.
* The following is added in Subclause C.6, in the annex text for
FAU_STG.NIAP-0414-1, in the "Operations" section, in the
"Selection:" subsection, after the last paragraph:
For FAU_STG.NIAP-0414-1.2-NIAP-0460, the PP/ST author should select
"take no other actions" if there are no additional actions to be
taken when the audit trail is full. In such a case, the assignment
should not be completed.
* In Subclause C.6, in the annex text for FAU_STG.NIAP-0414-1, in
the "Operations" section, the "Assignment" text is modified as
follows:
In FAU_STG.NIAP-0414-1.1_-NIAP-0460_, the PP/ST author should
specify other actions that should be taken in case of audit storage
failure, such as informing an authorized user. _This assignment
should not be completed if "no additional options" was selected._
In FAU_STG.NIAP-0414-1.2_-NIAP-0460_, the PP/ST author should
specify other actions that should be taken in case of audit storage
failure when no action has been selected, such as informing the
authorized user. _This assignment should not be completed if "take
no other actions" was selected._
* FDP_ACF.1-NIAP-0416 is relabeled as FDP_ACF.1-NIAP-0460. Unless
otherwise noted in these changes, all normative and informative
material associated with FDP_ACF.1-NIAP-0416 is incorporated
unchanged into FDP_ACF.1-NIAP-0460, and all references to
FDP_ACF.1-NIAP-0416 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FDP_ACF.1-NIAP-0460.
* Subclause 6.2, FDP_ACF.1-NIAP-0416 is modified as follows:
FDP_ACF.1.3_-NIAP-0460_ The TSF shall explicitly authorise access
of subjects to objects based on the following additional rules:
_[selection:_ [assignment: _rules, based on security attributes,
that explicitly authorise access of subjects to objects_]_, "no
additional rules"]_
FDP_ACF.1.4_-NIAP-0460_ The TSF shall explicitly deny access of
subjects to objects based on the _following rules:_ _[selection:_
[assignment: _rules, based on security attributes, that explicitly
deny access of subjects to objects_]_, "no additional explicit
denial rules"]_
* In Subclause F.2, the following is added after the "Operations"
subheader after paragraph 761:
Selection:
For FDP_ACF.1.3-NIAP-0460, the PP/ST author should select "no
additional rules" if there are no additional rules used to
explicitly authorise access. In such a case, the assignment should
not be completed.
For FDP_ACF.1.4-NIAP-0460, the PP/ST author should select "no
additional explicit denial rules" if there are no additional rules
used to explicitly denial access. In such a case, the assignment
should not be completed.
* Subclause F.2, paragraph 765 and 766, are modified as follows:
In FDP_ACF.1.3_-NIAP-0460_, the PP/ST author should specify the
rules, based on security attributes, that explicitly authorise
access of subjects to objects that will be used to explicitly
authorise access. These rules are in addition to those specified in
FDP_ACF.1.1. They are included in FDP_ACF.1.3 as they are intended
to contain exceptions to the rules in FDP_ACF.1.1. An example of
rules to explicitly authorise access is based on a privilege vector
associated with a subject that always grants access to objects
covered by the access control SFP that has been specified. If such
a capability is not desired, then the PP/ST author should _select_
_[DEL:_ specify "none" _:DEL]_ _"no additional rules" instead_.
In FDP_ACF.1.4_-NIAP-0460_, the PP/ST author should specify the
rules, based on security attributes, that explicitly deny access of
subjects to objects. These rules are in addition to those specified
in FDP_ACF.1.1. They are included in FDP_ACF.1.4 as they are
intended to contain exceptions to the rules in FDP_ACF.1.1. An
example of rules to explicitly deny access is based on a privilege
vector associated with a subject that always denies access to
objects covered by the access control SFP that has been specified.
If such a capability is not desired, then the PP/ST author should
_select_ _[DEL:_ specify "none" _:DEL]_ _"no additional explicit
denial rules" instead_.
* FDP_ETC.2 is relabeled as FDP_ETC.2-NIAP-0460. Unless otherwise
noted in these changes, all normative and informative material
associated with FDP_ETC.2 is incorporated unchanged into
FDP_ETC.2-NIAP-0460, and all references to FDP_ETC.2 in the CC,
CEM, or other Common Criteria documentation are changed to refer
to FDP_ETC.2-NIAP-0460.
* Subclause 6.4, FDP_ETC.2 is modified as follows:
FDP_ETC.2.4_-NIAP-0460_ The TSF shall enforce the following rules
when user data is exported from the TSC: _[selection:_ [assignment:
_additional exportation control rules_]_, "no additional rules"]_
* In subclause F.4, the following is added after the "Operations"
subheader after paragraph 783:
Selection:
For FDP_ETC.2.4-NIAP-0460, the PP/ST author should select "no
additional rules" if there are no additional exportation control
rules. In such a case, the assignment should not be completed.
* Subclause F.4, paragraph 784, is modified as follows:
In FDP_ETC.2.4_-NIAP-0460_, the PP/ST author should specify any
additional exportation control rules _[DEL:_ or "none" if there are
no additional exportation control rules _:DEL]_ . These rules will
be enforced by the TSF in addition to the access control SFPs
and/or information flow control SFPs selected in FDP_ETC.2.1. _This
assignment should not be completed if "no additional rules" was
selected._
* FDP_IFF.1-NIAP-0417 is relabeled as FDP_IFF.1-NIAP-0460. Unless
otherwise noted in these changes, all normative and informative
material associated with FDP_IFF.1-NIAP-0417 is incorporated
unchanged into FDP_IFF.1-NIAP-0460, and all references to
FDP_IFF.1-NIAP-0417 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FDP_IFF.1-NIAP-0460.
* Subclause 6.6, FDP_IFF.1 is modified as follows:
FDP_IFF.1.3_-NIAP-0460_ The TSF shall enforce the _following
information flow control rules: [selection:_ [assignment:
_additional information flow control SFP rules_]_, "no additional
information flow control SFP rules"]_
FDP_IFF.1.4_-NIAP-0460_ The TSF shall provide the following
_[selection:_ [assignment: _list of additional SFP capabilities_]_,
"no additional SFP capabilities"]_
FDP_IFF.1.5_-NIAP-0460_ The TSF shall explicitly authorise an
information flow based on the following rules: _[selection:_
[assignment: _rules, based on security attributes, that explicitly
authorise information flows_]_, "no explicit authorisation rules"]_
FDP_IFF.1.6_-NIAP-0460_ The TSF shall explicitly deny an
information flow based on the following rules: _[selection:_
[assignment: _rules, based on security attributes, that explicitly
deny information flows_]_, "no explicit denial rules"]_
* In subclause F.6, the following is added after the "Operations"
subheader after paragraph 808:
Selection:
For FDP_IFF.1.3-NIAP-0460, the PP/ST author should select "no
additional information flow control SFP rules" if there are no
additional rules. In such a case, the assignment should not be
completed.
For FDP_IFF.1.4-NIAP-0460, the PP/ST author should select "no
additional SFP capabilities" if there are no additional
capabilities to be provided by the TOE for the SFP. In such a case,
the assignment should not be completed.
For FDP_IFF.1.5-NIAP-0460, the PP/ST author should select "no
explicit authorisation rules" if there are no additional rules that
govern authorisation. In such a case, the assignment should not be
completed.
For FDP_IFF.1.6-NIAP-0460, the PP/ST author should select "no
explicit denial rules" if there are no additional rules that govern
denial. In such a case, the assignment should not be completed.
* Subclause F.6, paragraphs 812 through 815 are modified as follows:
In FDP_IFF.1.3_-NIAP-0460_ the PP/ST author should specify any
additional information flow control SFP rules that the TSF is to
enforce. If there are no additional rules then the PP/ST author
should _[DEL:_ specify "none" _:DEL]_ _select "no additional
information flow control SFP rules" instead, in which case this
assignment should not be completed_.
In FDP_IFF.1.4_-NIAP-0460_ the PP/ST author should specify any
additional SFP capabilities that the TSF is to provide. If there
are no additional capabilities then the PP/ST author should _[DEL:_
specify "none" _:DEL]_ _select "no additional SFP capabilities"
instead, in which case this assignment should not be completed_.
In FDP_IFF.1.5_-NIAP-0460_, the PP/ST author should specify the
rules, based on security attributes, that explicitly authorise
information flows. These rules are in addition to those specified
in the preceding elements. They are included in FDP_IFF.1.5 as they
are intended to contain exceptions to the rules in the preceding
elements. An example of rules to explicitly authorise information
flows is based on a privilege vector associated with a subject that
always grants the subject the ability to cause an information flow
for information that is covered by the SFP that has been specified.
If such a capability is not desired, then the PP/ST author should
_[DEL:_ specify "none" _:DEL]_ _select "no explicit authorisation
rules" instead, in which case this assignment should not be
completed_.
In FDP_IFF.1.6_-NIAP-0460_, the PP/ST author should specify the
rules, based on security attributes, that explicitly deny
information flows. These rules are in addition to those specified
in the preceding elements. They are included in FDP_IFF.1.6 as they
are intended to contain exceptions to the rules in the preceding
elements. An example of rules to explicitly authorise information
flows is based on a privilege vector associated with a subject that
always denies the subject the ability to cause an information flow
for information that is covered by the SFP that has been specified.
If such a capability is not desired, then the PP/ST author should
_[DEL:_ specify "none" _:DEL]_ _select "no explicit denial rules"
instead, in which case this assignment should not be completed_.
* FDP_IFF.2-NIAP-0417 is relabeled as FDP_IFF.2-NIAP-0460. Unless
otherwise noted in these changes, all normative and informative
material associated with FDP_IFF.2-NIAP-0417 is incorporated
unchanged into FDP_IFF.2-NIAP-0460, and all references to
FDP_IFF.2-NIAP-0417 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FDP_IFF.2-NIAP-0460.
* Subclause 6.6, FDP_IFF.2 is modified as follows:
FDP_IFF.2.3_-NIAP-0460_ The TSF shall enforce the _following
information flow control rules: [selection:_ [assignment:
_additional information flow control SFP rules_]_, "no additional
information flow control SFP rules"]_
FDP_IFF.2.4_-NIAP-0460_ The TSF shall provide the following
_[selection:_ [assignment: _list of additional SFP capabilities_]_,
"no additional SFP capabilities"]_
FDP_IFF.2.5_-NIAP-0460_ The TSF shall explicitly authorise an
information flow based on the following rules: _[selection:_
[assignment: _rules, based on security attributes, that explicitly
authorise information flows_]_, "no explicit authorisation rules"]_
FDP_IFF.2.6_-NIAP-0460_ The TSF shall explicitly deny an
information flow based on the following rules: _[selection:_
[assignment: _rules, based on security attributes, that explicitly
deny information flows_]_, "no explicit denial rules"]_
* In subclause F.6, the following is added after the "Operations"
subheader after paragraph 822:
Selection:
For FDP_IFF.2.3-NIAP-0460, the PP/ST author should select "no
additional information flow control SFP rules" if there are no
additional rules. In such a case, the assignment should not be
completed.
For FDP_IFF.2.4-NIAP-0460, the PP/ST author should select "no
additional SFP capabilities" if there are no additional
capabilities to be provided by the TOE for the SFP. In such a case,
the assignment should not be completed.
For FDP_IFF.2.5-NIAP-0460, the PP/ST author should select "no
explicit authorisation rules" if there are no additional rules that
govern authorisation. In such a case, the assignment should not be
completed.
For FDP_IFF.2.6-NIAP-0460, the PP/ST author should select "no
explicit denial rules" if there are no additional rules that govern
denial. In such a case, the assignment should not be completed.
* Subclause F.6, paragraphs 824 through 827 are modified as follows:
In FDP_IFF.2.3_-NIAP-0460_ the PP/ST author should specify any
additional information flow control SFP rules that the TSF is to
enforce. If there are no additional rules then the PP/ST author
should _[DEL:_ specify "none" _:DEL]_ _select "no additional
information flow control SFP rules" instead, in which case this
assignment should not be completed_.
In FDP_IFF.2.4_-NIAP-0460_ the PP/ST author should specify any
additional SFP capabilities that the TSF is to provide. If there
are no additional capabilities then the PP/ST author should _[DEL:_
specify "none" _:DEL]_ _select "no additional SFP capabilities"
instead, in which case this assignment should not be completed_.
In FDP_IFF.2.5_-NIAP-0460_, the PP/ST author should specify the
rules, based on security attributes, that explicitly authorise
information flows. These rules are in addition to those specified
in the preceding elements. They are included in FDP_IFF.2.5 as they
are intended to contain exceptions to the rules in the preceding
elements. An example of rules to explicitly authorise information
flows is based on a privilege vector associated with a subject that
always grants the subject the ability to cause an information flow
for information that is covered by the SFP that has been specified.
If such a capability is not desired, then the PP/ST author should
_[DEL:_ specify "none" _:DEL]_ _select "no explicit authorisation
rules" instead, in which case this assignment should not be
completed_.
In FDP_IFF.2.6_-NIAP-0460_, the PP/ST author should specify the
rules, based on security attributes, that explicitly deny
information flows. These rules are in addition to those specified
in the preceding elements. They are included in FDP_IFF.2.6 as they
are intended to contain exceptions to the rules in the preceding
elements. An example of rules to explicitly authorise information
flows is based on a privilege vector associated with a subject that
always denies the subject the ability to cause an information flow
for information that is covered by the SFP that has been specified.
If such a capability is not desired, then the PP/ST author should
_[DEL:_ specify "none" _:DEL]_ _select "no explicit denial rules"
instead, in which case this assignment should not be completed_.
* FDP_ITC.1 is relabeled as FDP_ITC.1-NIAP-0460. Unless otherwise
noted in these changes, all normative and informative material
associated with FDP_ITC.1 is incorporated unchanged into
FDP_ITC.1-NIAP-0460, and all references to FDP_ITC.1 in the CC,
CEM, or other Common Criteria documentation are changed to refer
to FDP_ITC.1-NIAP-0460.
* Subclause 6.7, FDP_ITC.1 is modified as follows:
FDP_ITC.1.3_-NIAP-0460_ The TSF shall enforce the following rules
when importing user data controlled under the SFP from outside the
TSC: _[selection:_ [assignment: _additional importation control
rules_]_, "no additional rules"]_
* In subclause F.7, the following is added after the "Operations"
subheader after paragraph 855:
Selection:
For FDP_ITC.1.3-NIAP-0460, the PP/ST author should select "no
additional rules" if there are no additional importation control
rules. In such a case, the assignment should not be completed.
* Subclause F.7, paragraph 857, is modified as follows:
In FDP_ITC.1.3_-NIAP-0460_, the PP/ST author should specify any
additional importation control rules or _[DEL:_ "none" _:DEL]_
_select "no additional rules"_ if there are no additional
importation control rules. These rules will be enforced by the TSF
in addition to the access control SFPs and/or information flow
control SFPs selected in FDP_ITC.1.1. _This assignment should not
be completed if "no additional rules" was selected._
* FDP_ITC.2 is relabeled as FDP_ITC.2-NIAP-0460. Unless otherwise
noted in these changes, all normative and informative material
associated with FDP_ITC.2 is incorporated unchanged into
FDP_ITC.2-NIAP-0460, and all references to FDP_ITC.2 in the CC,
CEM, or other Common Criteria documentation are changed to refer
to FDP_ITC.2-NIAP-0460.
* Subclause 6.7, FDP_ITC.2 is modified as follows:
FDP_ITC.2.5_-NIAP-0460_ The TSF shall enforce the following rules
when importing user data controlled under the SFP from outside the
TSC: _[selection:_ [assignment: _additional importation control
rules_]_, "no additional importation rules"]_
* In subclause F.7, the following is added after the "Operations"
subheader after paragraph 858:
Selection:
For FDP_ITC.2.5-NIAP-0460, the PP/ST author should select "no
additional importation rules" if there are no additional
importation rules. In such a case, the assignment should not be
completed.
* Subclause F.7, paragraph 860, is modified as follows:
In FDP_ITC.2.5_-NIAP-0460_, the PP/ST author should specify any
additional importation control rules or _[DEL:_ "none" _:DEL]_
_select "no additional importation rules_ if there are no additional
importation rules. These rules will be enforced by the TSF in
addition to the access control SFPs and/or information flow control
SFPs selected in FDP_ITC.2.1. _This assignment should not be
completed if "no additional rules" was selected._
* FMT_MSA.3.NIAP-0409 is relabeled as FMT_MSA.3-NIAP-0460. Unless
otherwise noted in these changes, all normative and informative
material associated with FMT_MSA.3-NIAP-0409 is incorporated
unchanged into FMT_MSA.3-NIAP-0460, and all references to
FMT_MSA.3-NIAP-0409 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FMT_MSA.3-NIAP-0460.
* Subclause 8.2, FMT_MSA.3-NIAP-0409 is modified as follows:
FMT_MSA.3.1-NIAP-0409 The TSF shall enforce the [_assignment:
access control SFP, information flow control SFP_] to provide
[_selection: choose one of: restrictive, permissive, [assignment:
other property]_] default values for security attributes that are
used to enforce the SFP.
* Subclause H.2, FMT_MSA.3-NIAP-0409 is modified as follows:
Selection:
In FMT_MSA.3.1-NIAP-_[DEL:_ 0409 _:DEL]_ _0460_, the PP/ST author
should select whether the default property of the access control
attribute will be restrictive, permissive, or another property.
_Only one choice is permitted._
* FPR_PSE.1 is relabeled as FPR_PSE.1-NIAP-0460. Unless otherwise
noted in these changes, all normative and informative material
associated with FPR_PSE.1 is incorporated unchanged into
FPR_PSE.1-NIAP-0460, and all references to FPR_PSE.1 in the CC,
CEM, or other Common Criteria documentation is changed to refer to
FPR_PSE.1-NIAP-0460.
* Subclause 9.2, FPR_PSE.1, element FPR_PSE.1.3 is modified as
follows:
FPR_PSE.1_-NIAP-0460_.3 The TSF shall [_selection: choose one of:
determine an alias for a user, accept the alias from the user_]
and verify that it conforms to the [_assignment: alias metric_].
* Subclause I.2, FPR_PSE.1, paragraph 1110, is modified as follows:
In FPR_PSE.1_-NIAP-0460_.3 the PP/ST author should specify whether
the user alias is generated by the TSF, or supplied by the user.
_Only one of these options may be chosen._
* FPR_PSE.2 is relabeled as FPR_PSE.2-NIAP-0460. Unless otherwise
noted in these changes, all normative and informative material
associated with FPR_PSE.2 is incorporated unchanged into
FPR_PSE.2-NIAP-0460, and all references to FPR_PSE.2 in the CC,
CEM, or other Common Criteria documentation is changed to refer to
FPR_PSE.2-NIAP-0460.
* Subclause 9.2, FPR_PSE.2, element FPR_PSE.2.3 is modified as
follows:
FPR_PSE.2_-NIAP-0460_.3 The TSF shall [_selection: choose one of:
determine an alias for a user, accept the alias from the user_]
and verify that it conforms to the [_assignment: alias metric_].
* Subclause I.2, FPR_PSE.2, paragraph 1118, is modified as follows:
In FPR_PSE.2_-NIAP-0460_.3 the PP/ST author should specify whether
the user alias is generated by the TSF, or supplied by the user.
_Only one of these options may be chosen._
* FPR_PSE.3 is relabeled as FPR_PSE.3-NIAP-0460. Unless otherwise
noted in these changes, all normative and informative material
associated with FPR_PSE.3 is incorporated unchanged into
FPR_PSE.3-NIAP-0460, and all references to FPR_PSE.3 in the CC,
CEM, or other Common Criteria documentation is changed to refer to
FPR_PSE.3-NIAP-0460.
* Subclause 9.2, FPR_PSE.3, element FPR_PSE.3.3 is modified as
follows:
FPR_PSE.3_-NIAP-0460_.3 The TSF shall [_selection: choose one of:
determine an alias for a user, accept the alias from the user_]
and verify that it conforms to the [_assignment: alias metric_].
* Subclause I.2, FPR_PSE.3, paragraph 1129, is modified as follows:
In FPR_PSE.3_-NIAP-0460_.3 the PP/ST author should specify whether
the user alias is generated by the TSF, or supplied by the user.
_Only one of these options may be chosen._
SUPPORT:
This interpretation eliminates the confusion in the ISSUE by only
permitting "none" where explicitly specified. It also makes it clear
that more than one selection from a selection list may be made, unless
it is expressly prohibited. It also clarifies those selection lists
where selecting multiple options would introduce an internal
contradiction.
The list of elements for which "none" is acceptable was determined by
examining all assignments and selections in the functional
requirements in CC v2.1 and the CC Part 2 annexes, and seeing if (a)
the annex indicated that "none" was an appropriate option, or (b) if
an assignment or selection of "none" (or equivalent wording, such as
"no action") resulted in a requirement that made sense.
The approach taken in dealing with ambiguous assignments is to place
the assignments in a selection, with the null option included as the
last selection. An alternative approach would have been a single
assignment with "or 'none'", but the approach taken was felt to be
more in line with the style of the CC.
This interpretation has an effect on all elements that contain
assignments or selections. Specifically, it prohibits "none" (or
equivalent) unless the option is explicit, and clarifies the use of
the selection operator to indicate how multiple options may be
combined. For those components drawn from the CC, it is expected that
this change only codifies existing practice. Explicitly stated
elements containing assignments and selections in PPs and STs should
be examined to determine if "none" should be provided as an explicit
option, or if there should be stated restrictions on the combinations
of options in a selection.
This queue entry also removes a clause from FAU_GEN that complicates
evaluation by eliminating original text when a particular selection
option is chosen (for if the text is eliminated, it is unclear to the
evaluator if the clause was accidentally omitted, or intentionally
removed).
Note: This interpretation is being applied to the CC as modified by
I-0414, I-0416, I-0417, and CCIMB-INTERP-0019. As this is superseding
I-0407 and I-0429, the changes made by those interpretations are
ignored.
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov