RE: I-0463: Hardware Inclusion In A TOE With FPT_SEP

["Arnold, James L. Jr." <JAMES.L.ARNOLD.JR@saic.com>]

Why do I feel we are just going in circles?

I suggest that the Oracle DBMS PP indicates an alternate approach because
the NIB is indicating (in I-0463) that if you claim FPT_SEP you will almost
certainly have to include hardware in the TOE. The Oracle DBMS PP serves as
an example where that is not the case.

I can't find where I-0463 indicates that there are no assumptions or IT
security requirements related to FPT_SEP. Rather, the proposed
interpretation indicates that if FPT_SEP is a TOE requirement it is very
likely that hardware must be in the TOE. There don't seem to be any
mitigating conditions. The proposed interpretation does indicate that it
MIGHT be possible to exclude hardware from the TOE, but there is a very
strong indication that likely could not happen. Regardless, I am addressing
a more general concept and not what the proposed interpretation guidance
says.

I certainly agree that there are disconnects between Part 1 and Part 3, but
in this case I don't necessarily see any conflict. However, you seem to be
indicating that assumptions must be limited to non-IT topics. Since the
topic of "connectivity" certainly seems to be IT related, I don't think I
can agree.

Requirements are interpreted despite the absence of any formally documented
interpretations. Obviously someone in the UK decided that the Oracle DBMS PP
was acceptable. If the implications in that PP are acceptable to the NIB
then I'd certainly recommend writing an "else" clause in the proposed
interpretation so that people aren't misled. If the NIB disagrees, then I
guess more products will be going to the UK.

I think I indicated earlier that the words "maintain" and "implement" do not
necessarily mean the same thing. Similarly, "maintain" and "provide" do not
necessarily mean the same thing. My claim is that if a TOE/TSF is designed
to operate (with code, data, etc.) within the boundaries it is given (by its
IT environment), then it can be considered to be "maintaining" that
environment. The FPT_SEP informative text seems fairly clear in demanding
that the domain of the TSF be separated from the domain of the untrusted
subjects. I agree that the TOE must perform some function to meet the
requirement, such as instantiating untrusted subjects in domains outside
that of the TSF, but I disagree that it cannot have any help from its IT
environment (provided that that help is clearly documented as either
assumptions or requirements on the IT environment). Apparently we can't get
past this point and hence I enter the Oracle DBMS PP into evidence to
support my side.