Re: I-0460: Empty Selections Or Assignments/One Or More
- Subject: Re: I-0460: Empty Selections Or Assignments/One Or More
- From: Tim Bergendahl <tbergend@mitre.org>
- Date: Mon, 05 Aug 2002 16:50:32 -0400
- CC: "Bergendahl,Timothy J." <tbergend@mitre.org>
- Content-Transfer-Encoding: 7bit
- Content-Type: text/plain; charset=us-ascii
- Organization: The MITRE Corporation
- References: <3D2C1E22.8442.BB51DB@localhost>
All,
MITRE validators have examined this proposal and agree with it as
written.
We recognize the problems that can arise as the CC evolves (e.g.,
involving existing PPs). We expect similar problems to surface in the
future (e.g., as assurance maintenance comes into play). As such, we
recommend that a policy be developed and implemented that takes into
account the problems and offers reasonable solutions (e.g., that might
be waiver-based).
--Tim Bergendahl--
NIAP Interpretations Board wrote:
>
> [NOTE: This proposal is being re-posted after being updated to reflect
> comments the IWG received on its previous posting, or comments arising
> from further IWG discussion of the proposal.]
>
> This transaction consists of a proposal for a NIAP Interpretation of a
> Common Criteria document. It is being posted in accordance with the
> procedures of the IWG.
>
> Comments on this proposal are welcomed and should be posted to this
> transaction chain. If any party wishes to post a comment anonymously,
> the comment should be mailed to ccevs-cmt@nist.gov in a form suitable
> for posting. All comments should be posted no later than Monday, August
> 5, 2002.
>
> CCITSE/CEM NIAP INTERPRETATION (PROPOSED)
>
>
> ________________________________________________________________
> _
>
> I-0460: Empty Selections Or Assignments/One Or More
>
> ________________________________________________________________
> _
>
> TYPE: NIAP Interpretation
> NUMBER: I-0460
> STATUS: Reposted for External Review
>
> TITLE: Empty Selections Or Assignments/One Or More
> WOULD SUPERSEDE:
> I-0407 Empty Selections Or Assignments
> I-0429 Selecting One Or More
> PREVIOUS POSTING: _No posting_
> PREVIOUS POSTING: _No posting_
> COMMENTS DUE BY: Monday, August 5, 2002 to ccevs-cmt@nist.gov
>
> SOURCE REFERENCE: CC v2.1 Part 1 Subclause 4.4.1
> CC v2.1 Part 2 Subclause 3.2 FAU_GEN.1
> CC v2.1 Part 2 Subclause 3.3 FAU_SAA.1
> CC v2.1 Part 2 Subclause 3.5 FAU_SEL.1
> CC v2.1 Part 2 Subclause 3.6 FAU_STG.1
> CC v2.1 Part 2 Subclause 3.6 FAU_STG.2
> CC v2.1 Part 2 Subclause 3.6 FAU_STG.4
> CC v2.1 Part 2 Subclause 3.NIAP-0414 FAU_STG.NIAP-0414-
> 1
> CC v2.1 Part 2 Subclause 6.2 FDP_ACF.1
> CC v2.1 Part 2 Subclause 6.4 FDP_ETC.2
> CC v2.1 Part 2 Subclause 6.6 FDP_IFF
> CC v2.1 Part 2 Subclause 6.7 FDP_ITC.2
> CC v2.1 Part 2 Subclause 8.2 FMT_MSA.3
> CC v2.1 Part 2 Subclause 9.2 FPR_PSE.1
> CC v2.1 Part 2 Subclause 9.2 FPR_PSE.2
> CC v2.1 Part 2 Subclause 9.2 FPR_PSE.3
> CC v2.1 Part 2 Subclause C.2 FAU_GEN.1
> CC v2.1 Part 2 Subclause C.3 FAU_SAA.1
> CC v2.1 Part 2 Subclause C.5 FAU_SEL.1
> CC v2.1 Part 2 Subclause C.6 FAU_STG.1
> CC v2.1 Part 2 Subclause C.6 FAU_STG.2
> CC v2.1 Part 2 Subclause C.6 FAU_STG.4
> CC v2.1 Part 2 Subclause C.6 FAU_STG.NIAP-0414-1
> CC v2.1 Part 2 Subclause F.2 FDP_ACF.1
> CC v2.1 Part 2 Subclause F.4 FDP_ETC.2
> CC v2.1 Part 2 Subclause F.6 FDP_IFF
> CC v2.1 Part 2 Subclause F.7 FDP_ITC.2
> CC v2.1 Part 2 Subclause H.2 FMT_MSA.3
> CC v2.1 Part 2 Subclause I.2 FPR_PSE.1
> CC v2.1 Part 2 Subclause I.2 FPR_PSE.2
> CC v2.1 Part 2 Subclause I.2 FPR_PSE.3
> RELATED TO:
> I-0407 Empty Selections Or Assignments
> I-0429 Selecting One Or More
> I-0414 Site-Configurable Prevention Of Audit Loss
> I-0387 Auditing Of Audit Storage Failures
> CCIMB ENTRY: CCIMB-INTERP-0200
>
> ISSUE:
>
> CC v2.1 is ambiguous as to whether assignments could be completed by
> selecting none, i.e., providing no list. Similarly, it is unclear
> whether "none" is available as a selection. In some cases, "none" is
> given as an option in the Annex, but not indicated in the normative
> portion of Part 2. Additionally, it is unclear if, in a selection
> operation, selection of multiple items is permissible.
>
> STATEMENT
>
> Assignments must be non-empty. The CC must be clear when a null choice
> is an appropriate option. Additionally, unless otherwise stated,
> multiple items in a selection may be selected. Cases where only a
> specific number of items may be selected must be explicit.
>
> SPECIFIC INTERPRETATION
>
> _Note: The current wording of the changes for I-0460 make the
> following presumptions: As I-0407 and I-0429 are being superseded, it
> is as if those changes were never made. Further, this interpretation
> presumes that it will be approved before I-0387, as I-0387 was
> returned for rework. If the latter assumption changes, this
> interpretation will need to be modified to reflect changes to the
> criteria as modified by I-0387, not I-0414._
>
> To address this interpretation, the following changes are made to CC
> v2.1, Part 1, as modified by CCIMB-INTERP-0019: (additions marked
> _thusly_; deletions marked _[DEL:_ thusly _:DEL]_ )
>
> * After the 2nd paragraph under Assignment in the new text from
> CCIMB-INTERP-0019, add:
> Lists used to complete assignments must be non-empty unless an
> empty assignment is explicitly permitted (e.g., "none").
>
> * After the only paragraph under Selection in the new text from
> CCIMB-INTERP-0019, add:
> "None" (or equivalent wording) is only available as a choice if it
> is explicitly provided; furthermore, if the "none" option is
> chosen, no additional selection options may be chosen. If "none"
> is not given as an option in a selection, it is permissible to
> combine the choices in a selection with "and"s and "or"s, unless
> the selection explicitly states "choose one of" (or equivalent
> wording).
>
> [Note: The remainer of these changes are exactly the same as in I-0407
> and I-0429, with interpretation numbers changed. For simplicity for
> the reader, the full names of the I-0407 versions or I-0429 (e.g.,
> "-NIAP-0407") are not shown.]
>
> To address this interpretation, the following changes are made to CC
> v2.1, Part 2: (additions marked _thusly_; deletions marked _[DEL:_
> thusly _:DEL]_ )
>
> * FAU_GEN.1 is relabeled as FAU_GEN.1-NIAP-0460. Unless otherwise
> noted in these changes, all normative and informative material
> associated with FAU_GEN.1 is incorporated unchanged into
> FAU_GEN.1-NIAP-0460, and all references to FAU_GEN.1 in the CC,
> CEM, or other Common Criteria documentation are changed to refer
> to FAU_GEN.1-NIAP-0460.
>
> * Subclause 3.2, FAU_GEN.1 is modified as follows:
>
> FAU_GEN.1.1_-NIAP-0460_ The TSF shall be able to generate an audit
> record of the following auditable events:
>
> a) Start-up and shutdown of the audit functions;
> b) All auditable events for the [selection: _choose one of:
> minimum, basic, detailed, not specified_] level of audit; and
> c) _[selection: choose one of:_ [assignment: _other specifically
> defined auditable events_]_, "no additional events"]_.
> FAU_GEN.1.2_-NIAP-0460_ The TSF shall record within each audit
> record at least the following information:
> a) Date and time of the event, type of event, subject identity, and
> the outcome (success or failure) of the event; and
> b) For each audit event time, based on the auditable event
> definitions of the functional components included in the PP/ST,
> _[selection:_ [assignment: _other audit relevant information]__, "no
> other information"]_
>
> * The following is added after Subclause C.2, paragraph 567:
>
> For FAU_GEN.1.1_-NIAP-0460_b, the PP/ST author should select the
> level of auditable events called out in the audit section of other
> functional components included in the PP/ST. This level _[DEL:_
> could be _:DEL]_ _is one of the following:_ "minimum", "basic",
> "detailed" or "not specified". _[DEL:_ If "not specified" is
> selected, the PP/ ST author should fill in all desired auditable
> events in FAU_GEN.1.1c, and this part of the element (item b) can
> be removed entirely. _:DEL]_
>
> For FAU_GEN.1.1-NIAP-0460c, the PP/ST author should select "no
> additional events" if there are no additional events to be audited.
> In such a case, the assignment should not be completed.
> For FAU_GEN.1.2-NIAP-0460b, the PP/ST author should select "no
> other information" if the only information to be recorded is that
> listed in item a. In such a case, the assignment should not be
> completed.
>
> * Subclause C.2, paragraphs 568 and 569 are modified as follows:
>
> For FAU_GEN.1.1_-NIAP-0460_c, the PP/ST author should assign a list
> of other specifically defined auditable events to be included in
> the list of auditable events. These events could be auditable
> events of a functional requirement that are of higher audit level
> than requested in FAU_GEN.1.1b, as well as the events generated
> through the use of a specified Application Programming Interface
> (API). _This assignment need not be completed if "no additional
> events" was selected._
>
> For FAU_GEN.1.2_-NIAP-0460_b, the PP/ST author should assign, for
> each auditable events included in the PP/ST, a list of other audit
> relevant information to be included in audit event records. _This
> assignment need not be completed if "no additional events" was
> selected._
>
> * FAU_SAA.1 is relabeled as FAU_SAA.1-NIAP-0460. Unless otherwise
> noted in these changes, all normative and informative material
> associated with FAU_SAA.1 is incorporated unchanged into
> FAU_SAA.1-NIAP-0460, and all references to FAU_SAA.1 in the CC,
> CEM, or other Common Criteria documentation are changed to refer
> to FAU_SAA.1-NIAP-0460.
>
> * Subclause 3.3, FAU_SAA.1 is modified as follows:
>
> FAU_SAA.1-_NIAP-0460_.2 The TSF shall enforce the following rules
> for monitoring audited events:
>
> a) Accumulation or combination of [assignment: _subset of defined
> auditable events_] known to indicate a potential security
> violation;
> b) _[selection:_ [assignment: _any other rules_]_, "no additional
> rules"]_
>
> * The following is added after Subclause C.3, paragraph 576:
>
> Selection:
>
> For FAU_SAA.1.2-NIAP-0460b, the PP/ST author should select "no
> additional rules" if there are no additional rules to be applied.
> In such a case, the assignment should not be completed.
>
> * Subclause C.3, paragraph 577, is modified as follows:
>
> In FAU_SAA.1.2_-NIAP-0460__[DEL:_ . _:DEL]_ b, the PP/ST author
> should specify any other rules that the TSF should use in its
> analysis of the audit trail. Those rules could include specific
> requirements to express the needs for the events to occur in a
> certain period of time (e.g. period of the day, duration). _This
> assignment need not be completed if "no additional rules" was
> selected._
>
> * FAU_SEL.1 is relabeled as FAU_SEL.1-NIAP-0460. Unless otherwise
> noted in these changes, all normative and informative material
> associated with FAU_SEL.1 is incorporated unchanged into
> FAU_SEL.1-NIAP-0460, and all references to FAU_SEL.1 in the CC,
> CEM, or other Common Criteria documentation are changed to refer
> to FAU_SEL.1-NIAP-0460.
>
> * Subclause 3.5, FAU_SEL.1 is modified as follows:
>
> FAU_SEL.1.1_-NIAP-0460_ The TSF shall be able to include or exclude
> auditable events from the set of audited events based on the
> following attributes:
>
> a) [selection: _object identity, user identity, subject identity,
> host identity, event type_]
> b) _[selection:_ [assignment: _list of additional attributes that
> audit selectivity is based upon_]_, "no additional attributes"]_
>
> * The following is added after Subclause C.5, paragraph 624:
>
> For FAU_SEL.1.1-NIAP-0460b, the PP/ST author should select "no
> additional attributes" if there are no additional attributes upon
> which audit selectivity is based. In such a case, the assignment
> should not be completed.
>
> * Subclause C.5, paragraph 625, is modified as follows:
>
> For FAU_SEL.1.1_-NIAP-0460_b, the PP/ST author should specify any
> additional attributes upon which audit selectivity is based. _This
> assignment should not be completed if "no additional attributes"
> was selected._
>
> * FAU_STG.1-NIAP-0423 is relabeled as FAU_STG.1-NIAP-0460. Unless
> otherwise noted in these changes, all normative and informative
> material associated with FAU_STG.1-NIAP-0423 is incorporated
> unchanged into FAU_STG.1-NIAP-0460, and all references to
> FAU_STG.1-NIAP-0423 in the CC, CEM, or other Common Criteria
> documentation are changed to refer to FAU_STG.1-NIAP-0460.
>
> * Subclause 3.6, FAU_STG.1-NIAP-0460 is modified as follows:
>
> FAU_STG.1.2-NIAP-_[DEL:_ 0423 _:DEL]_ _0460_ The TSF shall be able
> to [_selection: choose one of: prevent, detect_] modifications to
> the audit records in the audit trail.
>
> * Subclause C.6, paragraph 629, is modified as follows:
>
> In FAU_STG.1.2-NIAP-_[DEL:_ 0423 _:DEL]_ _0460_, the PP/ST author
> should specify whether the TSF shall prevent or only be able to
> detect modifications of the audit trail. _Only one of these options
> may be chosen._
>
> * FAU_STG.2-NIAP-0423 is relabeled as FAU_STG.2-NIAP-0460. Unless
> otherwise noted in these changes, all normative and informative
> material associated with FAU_STG.2-NIAP-0423 is incorporated
> unchanged into FAU_STG.2-NIAP-0460, and all references to
> FAU_STG.2-NIAP-0423 in the CC, CEM, or other Common Criteria
> documentation are changed to refer to FAU_STG.2-NIAP-0460.
>
> * Subclause 3.6, FAU_STG.2-NIAP-0460 is modified as follows:
>
> FAU_STG.2.2-NIAP-_[DEL:_ 0423 _:DEL]_ _0460_ The TSF shall be able
> to [_selection: choose one of: prevent, detect_] modifications to
> the audit records in the audit trail.
>
> * Subclause C.6, paragraph 632, is modified as follows:
>
> In FAU_STG.2.2-NIAP-_[DEL:_ 0423 _:DEL]_ _0460_, the PP/ST author
> should specify whether the TSF shall prevent or only be able to
> detect modifications of the audit trail. _Only one of these options
> may be chosen._
>
> * FAU_STG.4 is relabeled as FAU_STG.4-NIAP-0460. Unless otherwise
> noted in these changes, all normative and informative material
> associated with FAU_STG.4 is incorporated unchanged into
> FAU_STG.4-NIAP-0460, and all references to FAU_STG.4 in the CC,
> CEM, or other Common Criteria documentation is changed to refer to
> FAU_STG.4-NIAP-0460.
>
> * Subclause 3.6, FAU_STG.4 is modified as follows:
>
> FAU_STG.4.1_-NIAP-0460_ The TSF shall [selection: _choose one of:_
> _"ignore auditable events", "prevent auditable events, except those
> taken by the authorised user with special rights", "overwrite the
> oldest stored audit records"_] and _[selection:_ [assignment:
> _other actions to be taken in case of audit storage failure_]_,
> "take no other actions"]_ if the audit trail is full.
>
> * Subclause C.6, FAU_STG.4-NIAP-0460, paragraph 639 is modified as
> follows:
>
> In FAU_STG.4_-NIAP-0460_.1, the PP/ST author should select whether
> the TSF shall ignore auditable actions, or whether it should
> prevent auditable actions from happening, or whether the oldest
> audit records should be overwritten when the TSF can no longer
> store audit records. _Only one of these may be chosen for automatic
> action by the TSF, as choosing more than one would create a
> contradiction._
>
> * The following is added after Subclause C.6, paragraph 639:
>
> For FAU_STG.4-NIAP-0460.1, the PP/ST author should select "take no
> other actions" if there are no additional actions to be taken when
> the audit trail is full. In such a case, the assignment should not
> be completed.
>
> * Subclause C.6, paragraph 640, is modified as follows:
>
> In FAU_STG.4.1-_NIAP-0460_, the PP/ST author should specify other
> actions that should be taken in case of audit storage failure, such
> as informing the authorised user. _This assignment should not be
> completed if "take no other actions" was selected._
>
> * Subclause 3.6, FAU_STG.NIAP-0414-1 is modified as follows:
>
> FAU_STG.NIAP-0414-1.1-NIAP-0460. The TSF shall provide an
> authorised administrator with the capability to select one or more
> of the following actions [selection: _"ignore auditable events",
> "prevent auditable events, except those taken by the authorised
> user with special rights", "overwrite the oldest stored audit
> records"_] and _[selection:_ [assignment: _other actions to be
> taken in case of audit storage failure_]_, "no additional options"]_
> to be taken if the audit trail is full.
>
> FAU_STG.NIAP-0414-1.2-NIAP-0460 The TSF shall [selection: _choose
> one of:_ _"ignore auditable events", "prevent auditable events,
> except those taken by the authorised user with special rights",
> "overwrite the oldest stored audit records"_] and _[selection:_
> [assignment: _other actions to be taken in case of audit storage
> failure_]_, "take no other actions"]_ if the audit trail is full.
>
> * The following is added in Subclause C.6, in the annex text for
> FAU_STG.NIAP-0414-1, in the "Operations" section, in the
> "Selection:" subsection, after the first paragraph:
>
> For FAU_STG.NIAP-0414-1.1-NIAP-0460, the PP/ST author should select
> "no additional options" if there are no additional options to be
> provided to an authorised user. In such a case, the assignment
> should not be completed.
>
> * The following is added in Subclause C.6, in the annex text for
> FAU_STG.NIAP-0414-1, in the "Operations" section, in the
> "Selection:" subsection, after the last paragraph:
>
> For FAU_STG.NIAP-0414-1.2-NIAP-0460, the PP/ST author should select
> "take no other actions" if there are no additional actions to be
> taken when the audit trail is full. In such a case, the assignment
> should not be completed.
>
> * In Subclause C.6, in the annex text for FAU_STG.NIAP-0414-1, in
> the "Operations" section, the "Assignment" text is modified as
> follows:
>
> In FAU_STG.NIAP-0414-1.1_-NIAP-0460_, the PP/ST author should
> specify other actions that should be taken in case of audit storage
> failure, such as informing an authorized user. _This assignment
> should not be completed if "no additional options" was selected._
>
> In FAU_STG.NIAP-0414-1.2_-NIAP-0460_, the PP/ST author should
> specify other actions that should be taken in case of audit storage
> failure when no action has been selected, such as informing the
> authorized user. _This assignment should not be completed if "take
> no other actions" was selected._
>
> * FDP_ACF.1-NIAP-0416 is relabeled as FDP_ACF.1-NIAP-0460. Unless
> otherwise noted in these changes, all normative and informative
> material associated with FDP_ACF.1-NIAP-0416 is incorporated
> unchanged into FDP_ACF.1-NIAP-0460, and all references to
> FDP_ACF.1-NIAP-0416 in the CC, CEM, or other Common Criteria
> documentation are changed to refer to FDP_ACF.1-NIAP-0460.
>
> * Subclause 6.2, FDP_ACF.1-NIAP-0416 is modified as follows:
>
> FDP_ACF.1.3_-NIAP-0460_ The TSF shall explicitly authorise access
> of subjects to objects based on the following additional rules:
> _[selection:_ [assignment: _rules, based on security attributes,
> that explicitly authorise access of subjects to objects_]_, "no
> additional rules"]_
>
> FDP_ACF.1.4_-NIAP-0460_ The TSF shall explicitly deny access of
> subjects to objects based on the _following rules:_ _[selection:_
> [assignment: _rules, based on security attributes, that explicitly
> deny access of subjects to objects_]_, "no additional explicit
> denial rules"]_
>
> * In Subclause F.2, the following is added after the "Operations"
> subheader after paragraph 761:
>
> Selection:
>
> For FDP_ACF.1.3-NIAP-0460, the PP/ST author should select "no
> additional rules" if there are no additional rules used to
> explicitly authorise access. In such a case, the assignment should
> not be completed.
> For FDP_ACF.1.4-NIAP-0460, the PP/ST author should select "no
> additional explicit denial rules" if there are no additional rules
> used to explicitly denial access. In such a case, the assignment
> should not be completed.
>
> * Subclause F.2, paragraph 765 and 766, are modified as follows:
>
> In FDP_ACF.1.3_-NIAP-0460_, the PP/ST author should specify the
> rules, based on security attributes, that explicitly authorise
> access of subjects to objects that will be used to explicitly
> authorise access. These rules are in addition to those specified in
> FDP_ACF.1.1. They are included in FDP_ACF.1.3 as they are intended
> to contain exceptions to the rules in FDP_ACF.1.1. An example of
> rules to explicitly authorise access is based on a privilege vector
> associated with a subject that always grants access to objects
> covered by the access control SFP that has been specified. If such
> a capability is not desired, then the PP/ST author should _select_
> _[DEL:_ specify "none" _:DEL]_ _"no additional rules" instead_.
>
> In FDP_ACF.1.4_-NIAP-0460_, the PP/ST author should specify the
> rules, based on security attributes, that explicitly deny access of
> subjects to objects. These rules are in addition to those specified
> in FDP_ACF.1.1. They are included in FDP_ACF.1.4 as they are
> intended to contain exceptions to the rules in FDP_ACF.1.1. An
> example of rules to explicitly deny access is based on a privilege
> vector associated with a subject that always denies access to
> objects covered by the access control SFP that has been specified.
> If such a capability is not desired, then the PP/ST author should
> _select_ _[DEL:_ specify "none" _:DEL]_ _"no additional explicit
> denial rules" instead_.
>
> * FDP_ETC.2 is relabeled as FDP_ETC.2-NIAP-0460. Unless otherwise
> noted in these changes, all normative and informative material
> associated with FDP_ETC.2 is incorporated unchanged into
> FDP_ETC.2-NIAP-0460, and all references to FDP_ETC.2 in the CC,
> CEM, or other Common Criteria documentation are changed to refer
> to FDP_ETC.2-NIAP-0460.
>
> * Subclause 6.4, FDP_ETC.2 is modified as follows:
>
> FDP_ETC.2.4_-NIAP-0460_ The TSF shall enforce the following rules
> when user data is exported from the TSC: _[selection:_ [assignment:
> _additional exportation control rules_]_, "no additional rules"]_
>
> * In subclause F.4, the following is added after the "Operations"
> subheader after paragraph 783:
>
> Selection:
>
> For FDP_ETC.2.4-NIAP-0460, the PP/ST author should select "no
> additional rules" if there are no additional exportation control
> rules. In such a case, the assignment should not be completed.
>
> * Subclause F.4, paragraph 784, is modified as follows:
>
> In FDP_ETC.2.4_-NIAP-0460_, the PP/ST author should specify any
> additional exportation control rules _[DEL:_ or "none" if there are
> no additional exportation control rules _:DEL]_ . These rules will
> be enforced by the TSF in addition to the access control SFPs
> and/or information flow control SFPs selected in FDP_ETC.2.1. _This
> assignment should not be completed if "no additional rules" was
> selected._
>
> * FDP_IFF.1-NIAP-0417 is relabeled as FDP_IFF.1-NIAP-0460. Unless
> otherwise noted in these changes, all normative and informative
> material associated with FDP_IFF.1-NIAP-0417 is incorporated
> unchanged into FDP_IFF.1-NIAP-0460, and all references to
> FDP_IFF.1-NIAP-0417 in the CC, CEM, or other Common Criteria
> documentation are changed to refer to FDP_IFF.1-NIAP-0460.
>
> * Subclause 6.6, FDP_IFF.1 is modified as follows:
>
> FDP_IFF.1.3_-NIAP-0460_ The TSF shall enforce the _following
> information flow control rules: [selection:_ [assignment:
> _additional information flow control SFP rules_]_, "no additional
> information flow control SFP rules"]_
>
> FDP_IFF.1.4_-NIAP-0460_ The TSF shall provide the following
> _[selection:_ [assignment: _list of additional SFP capabilities_]_,
> "no additional SFP capabilities"]_
> FDP_IFF.1.5_-NIAP-0460_ The TSF shall explicitly authorise an
> information flow based on the following rules: _[selection:_
> [assignment: _rules, based on security attributes, that explicitly
> authorise information flows_]_, "no explicit authorisation rules"]_
> FDP_IFF.1.6_-NIAP-0460_ The TSF shall explicitly deny an
> information flow based on the following rules: _[selection:_
> [assignment: _rules, based on security attributes, that explicitly
> deny information flows_]_, "no explicit denial rules"]_
>
> * In subclause F.6, the following is added after the "Operations"
> subheader after paragraph 808:
>
> Selection:
>
> For FDP_IFF.1.3-NIAP-0460, the PP/ST author should select "no
> additional information flow control SFP rules" if there are no
> additional rules. In such a case, the assignment should not be
> completed.
> For FDP_IFF.1.4-NIAP-0460, the PP/ST author should select "no
> additional SFP capabilities" if there are no additional
> capabilities to be provided by the TOE for the SFP. In such a case,
> the assignment should not be completed.
> For FDP_IFF.1.5-NIAP-0460, the PP/ST author should select "no
> explicit authorisation rules" if there are no additional rules that
> govern authorisation. In such a case, the assignment should not be
> completed.
> For FDP_IFF.1.6-NIAP-0460, the PP/ST author should select "no
> explicit denial rules" if there are no additional rules that govern
> denial. In such a case, the assignment should not be completed.
>
> * Subclause F.6, paragraphs 812 through 815 are modified as follows:
>
> In FDP_IFF.1.3_-NIAP-0460_ the PP/ST author should specify any
> additional information flow control SFP rules that the TSF is to
> enforce. If there are no additional rules then the PP/ST author
> should _[DEL:_ specify "none" _:DEL]_ _select "no additional
> information flow control SFP rules" instead, in which case this
> assignment should not be completed_.
>
> In FDP_IFF.1.4_-NIAP-0460_ the PP/ST author should specify any
> additional SFP capabilities that the TSF is to provide. If there
> are no additional capabilities then the PP/ST author should _[DEL:_
> specify "none" _:DEL]_ _select "no additional SFP capabilities"
> instead, in which case this assignment should not be completed_.
> In FDP_IFF.1.5_-NIAP-0460_, the PP/ST author should specify the
> rules, based on security attributes, that explicitly authorise
> information flows. These rules are in addition to those specified
> in the preceding elements. They are included in FDP_IFF.1.5 as they
> are intended to contain exceptions to the rules in the preceding
> elements. An example of rules to explicitly authorise information
> flows is based on a privilege vector associated with a subject that
> always grants the subject the ability to cause an information flow
> for information that is covered by the SFP that has been specified.
> If such a capability is not desired, then the PP/ST author should
> _[DEL:_ specify "none" _:DEL]_ _select "no explicit authorisation
> rules" instead, in which case this assignment should not be
> completed_.
> In FDP_IFF.1.6_-NIAP-0460_, the PP/ST author should specify the
> rules, based on security attributes, that explicitly deny
> information flows. These rules are in addition to those specified
> in the preceding elements. They are included in FDP_IFF.1.6 as they
> are intended to contain exceptions to the rules in the preceding
> elements. An example of rules to explicitly authorise information
> flows is based on a privilege vector associated with a subject that
> always denies the subject the ability to cause an information flow
> for information that is covered by the SFP that has been specified.
> If such a capability is not desired, then the PP/ST author should
> _[DEL:_ specify "none" _:DEL]_ _select "no explicit denial rules"
> instead, in which case this assignment should not be completed_.
>
> * FDP_IFF.2-NIAP-0417 is relabeled as FDP_IFF.2-NIAP-0460. Unless
> otherwise noted in these changes, all normative and informative
> material associated with FDP_IFF.2-NIAP-0417 is incorporated
> unchanged into FDP_IFF.2-NIAP-0460, and all references to
> FDP_IFF.2-NIAP-0417 in the CC, CEM, or other Common Criteria
> documentation are changed to refer to FDP_IFF.2-NIAP-0460.
>
> * Subclause 6.6, FDP_IFF.2 is modified as follows:
>
> FDP_IFF.2.3_-NIAP-0460_ The TSF shall enforce the _following
> information flow control rules: [selection:_ [assignment:
> _additional information flow control SFP rules_]_, "no additional
> information flow control SFP rules"]_
>
> FDP_IFF.2.4_-NIAP-0460_ The TSF shall provide the following
> _[selection:_ [assignment: _list of additional SFP capabilities_]_,
> "no additional SFP capabilities"]_
> FDP_IFF.2.5_-NIAP-0460_ The TSF shall explicitly authorise an
> information flow based on the following rules: _[selection:_
> [assignment: _rules, based on security attributes, that explicitly
> authorise information flows_]_, "no explicit authorisation rules"]_
> FDP_IFF.2.6_-NIAP-0460_ The TSF shall explicitly deny an
> information flow based on the following rules: _[selection:_
> [assignment: _rules, based on security attributes, that explicitly
> deny information flows_]_, "no explicit denial rules"]_
>
> * In subclause F.6, the following is added after the "Operations"
> subheader after paragraph 822:
>
> Selection:
>
> For FDP_IFF.2.3-NIAP-0460, the PP/ST author should select "no
> additional information flow control SFP rules" if there are no
> additional rules. In such a case, the assignment should not be
> completed.
> For FDP_IFF.2.4-NIAP-0460, the PP/ST author should select "no
> additional SFP capabilities" if there are no additional
> capabilities to be provided by the TOE for the SFP. In such a case,
> the assignment should not be completed.
> For FDP_IFF.2.5-NIAP-0460, the PP/ST author should select "no
> explicit authorisation rules" if there are no additional rules that
> govern authorisation. In such a case, the assignment should not be
> completed.
> For FDP_IFF.2.6-NIAP-0460, the PP/ST author should select "no
> explicit denial rules" if there are no additional rules that govern
> denial. In such a case, the assignment should not be completed.
>
> * Subclause F.6, paragraphs 824 through 827 are modified as follows:
>
> In FDP_IFF.2.3_-NIAP-0460_ the PP/ST author should specify any
> additional information flow control SFP rules that the TSF is to
> enforce. If there are no additional rules then the PP/ST author
> should _[DEL:_ specify "none" _:DEL]_ _select "no additional
> information flow control SFP rules" instead, in which case this
> assignment should not be completed_.
>
> In FDP_IFF.2.4_-NIAP-0460_ the PP/ST author should specify any
> additional SFP capabilities that the TSF is to provide. If there
> are no additional capabilities then the PP/ST author should _[DEL:_
> specify "none" _:DEL]_ _select "no additional SFP capabilities"
> instead, in which case this assignment should not be completed_.
> In FDP_IFF.2.5_-NIAP-0460_, the PP/ST author should specify the
> rules, based on security attributes, that explicitly authorise
> information flows. These rules are in addition to those specified
> in the preceding elements. They are included in FDP_IFF.2.5 as they
> are intended to contain exceptions to the rules in the preceding
> elements. An example of rules to explicitly authorise information
> flows is based on a privilege vector associated with a subject that
> always grants the subject the ability to cause an information flow
> for information that is covered by the SFP that has been specified.
> If such a capability is not desired, then the PP/ST author should
> _[DEL:_ specify "none" _:DEL]_ _select "no explicit authorisation
> rules" instead, in which case this assignment should not be
> completed_.
> In FDP_IFF.2.6_-NIAP-0460_, the PP/ST author should specify the
> rules, based on security attributes, that explicitly deny
> information flows. These rules are in addition to those specified
> in the preceding elements. They are included in FDP_IFF.2.6 as they
> are intended to contain exceptions to the rules in the preceding
> elements. An example of rules to explicitly authorise information
> flows is based on a privilege vector associated with a subject that
> always denies the subject the ability to cause an information flow
> for information that is covered by the SFP that has been specified.
> If such a capability is not desired, then the PP/ST author should
> _[DEL:_ specify "none" _:DEL]_ _select "no explicit denial rules"
> instead, in which case this assignment should not be completed_.
>
> * FDP_ITC.1 is relabeled as FDP_ITC.1-NIAP-0460. Unless otherwise
> noted in these changes, all normative and informative material
> associated with FDP_ITC.1 is incorporated unchanged into
> FDP_ITC.1-NIAP-0460, and all references to FDP_ITC.1 in the CC,
> CEM, or other Common Criteria documentation are changed to refer
> to FDP_ITC.1-NIAP-0460.
>
> * Subclause 6.7, FDP_ITC.1 is modified as follows:
>
> FDP_ITC.1.3_-NIAP-0460_ The TSF shall enforce the following rules
> when importing user data controlled under the SFP from outside the
> TSC: _[selection:_ [assignment: _additional importation control
> rules_]_, "no additional rules"]_
>
> * In subclause F.7, the following is added after the "Operations"
> subheader after paragraph 855:
>
> Selection:
>
> For FDP_ITC.1.3-NIAP-0460, the PP/ST author should select "no
> additional rules" if there are no additional importation control
> rules. In such a case, the assignment should not be completed.
>
> * Subclause F.7, paragraph 857, is modified as follows:
>
> In FDP_ITC.1.3_-NIAP-0460_, the PP/ST author should specify any
> additional importation control rules or _[DEL:_ "none" _:DEL]_
> _select "no additional rules"_ if there are no additional
> importation control rules. These rules will be enforced by the TSF
> in addition to the access control SFPs and/or information flow
> control SFPs selected in FDP_ITC.1.1. _This assignment should not
> be completed if "no additional rules" was selected._
>
> * FDP_ITC.2 is relabeled as FDP_ITC.2-NIAP-0460. Unless otherwise
> noted in these changes, all normative and informative material
> associated with FDP_ITC.2 is incorporated unchanged into
> FDP_ITC.2-NIAP-0460, and all references to FDP_ITC.2 in the CC,
> CEM, or other Common Criteria documentation are changed to refer
> to FDP_ITC.2-NIAP-0460.
>
> * Subclause 6.7, FDP_ITC.2 is modified as follows:
>
> FDP_ITC.2.5_-NIAP-0460_ The TSF shall enforce the following rules
> when importing user data controlled under the SFP from outside the
> TSC: _[selection:_ [assignment: _additional importation control
> rules_]_, "no additional importation rules"]_
>
> * In subclause F.7, the following is added after the "Operations"
> subheader after paragraph 858:
>
> Selection:
>
> For FDP_ITC.2.5-NIAP-0460, the PP/ST author should select "no
> additional importation rules" if there are no additional
> importation rules. In such a case, the assignment should not be
> completed.
>
> * Subclause F.7, paragraph 860, is modified as follows:
>
> In FDP_ITC.2.5_-NIAP-0460_, the PP/ST author should specify any
> additional importation control rules or _[DEL:_ "none" _:DEL]_
> _select "no additional importation rules_ if there are no additional
> importation rules. These rules will be enforced by the TSF in
> addition to the access control SFPs and/or information flow control
> SFPs selected in FDP_ITC.2.1. _This assignment should not be
> completed if "no additional rules" was selected._
>
> * FMT_MSA.3.NIAP-0409 is relabeled as FMT_MSA.3-NIAP-0460. Unless
> otherwise noted in these changes, all normative and informative
> material associated with FMT_MSA.3-NIAP-0409 is incorporated
> unchanged into FMT_MSA.3-NIAP-0460, and all references to
> FMT_MSA.3-NIAP-0409 in the CC, CEM, or other Common Criteria
> documentation are changed to refer to FMT_MSA.3-NIAP-0460.
>
> * Subclause 8.2, FMT_MSA.3-NIAP-0409 is modified as follows:
>
> FMT_MSA.3.1-NIAP-0409 The TSF shall enforce the [_assignment:
> access control SFP, information flow control SFP_] to provide
> [_selection: choose one of: restrictive, permissive, [assignment:
> other property]_] default values for security attributes that are
> used to enforce the SFP.
>
> * Subclause H.2, FMT_MSA.3-NIAP-0409 is modified as follows:
>
> Selection:
>
> In FMT_MSA.3.1-NIAP-_[DEL:_ 0409 _:DEL]_ _0460_, the PP/ST author
> should select whether the default property of the access control
> attribute will be restrictive, permissive, or another property.
> _Only one choice is permitted._
>
> * FPR_PSE.1 is relabeled as FPR_PSE.1-NIAP-0460. Unless otherwise
> noted in these changes, all normative and informative material
> associated with FPR_PSE.1 is incorporated unchanged into
> FPR_PSE.1-NIAP-0460, and all references to FPR_PSE.1 in the CC,
> CEM, or other Common Criteria documentation is changed to refer to
> FPR_PSE.1-NIAP-0460.
>
> * Subclause 9.2, FPR_PSE.1, element FPR_PSE.1.3 is modified as
> follows:
> FPR_PSE.1_-NIAP-0460_.3 The TSF shall [_selection: choose one of:
> determine an alias for a user, accept the alias from the user_]
> and verify that it conforms to the [_assignment: alias metric_].
>
> * Subclause I.2, FPR_PSE.1, paragraph 1110, is modified as follows:
> In FPR_PSE.1_-NIAP-0460_.3 the PP/ST author should specify whether
> the user alias is generated by the TSF, or supplied by the user.
> _Only one of these options may be chosen._
>
> * FPR_PSE.2 is relabeled as FPR_PSE.2-NIAP-0460. Unless otherwise
> noted in these changes, all normative and informative material
> associated with FPR_PSE.2 is incorporated unchanged into
> FPR_PSE.2-NIAP-0460, and all references to FPR_PSE.2 in the CC,
> CEM, or other Common Criteria documentation is changed to refer to
> FPR_PSE.2-NIAP-0460.
>
> * Subclause 9.2, FPR_PSE.2, element FPR_PSE.2.3 is modified as
> follows:
> FPR_PSE.2_-NIAP-0460_.3 The TSF shall [_selection: choose one of:
> determine an alias for a user, accept the alias from the user_]
> and verify that it conforms to the [_assignment: alias metric_].
>
> * Subclause I.2, FPR_PSE.2, paragraph 1118, is modified as follows:
> In FPR_PSE.2_-NIAP-0460_.3 the PP/ST author should specify whether
> the user alias is generated by the TSF, or supplied by the user.
> _Only one of these options may be chosen._
>
> * FPR_PSE.3 is relabeled as FPR_PSE.3-NIAP-0460. Unless otherwise
> noted in these changes, all normative and informative material
> associated with FPR_PSE.3 is incorporated unchanged into
> FPR_PSE.3-NIAP-0460, and all references to FPR_PSE.3 in the CC,
> CEM, or other Common Criteria documentation is changed to refer to
> FPR_PSE.3-NIAP-0460.
>
> * Subclause 9.2, FPR_PSE.3, element FPR_PSE.3.3 is modified as
> follows:
> FPR_PSE.3_-NIAP-0460_.3 The TSF shall [_selection: choose one of:
> determine an alias for a user, accept the alias from the user_]
> and verify that it conforms to the [_assignment: alias metric_].
>
> * Subclause I.2, FPR_PSE.3, paragraph 1129, is modified as follows:
> In FPR_PSE.3_-NIAP-0460_.3 the PP/ST author should specify whether
> the user alias is generated by the TSF, or supplied by the user.
> _Only one of these options may be chosen._
>
> SUPPORT:
>
> This interpretation eliminates the confusion in the ISSUE by only
> permitting "none" where explicitly specified. It also makes it clear
> that more than one selection from a selection list may be made, unless
> it is expressly prohibited. It also clarifies those selection lists
> where selecting multiple options would introduce an internal
> contradiction.
>
> The list of elements for which "none" is acceptable was determined by
> examining all assignments and selections in the functional
> requirements in CC v2.1 and the CC Part 2 annexes, and seeing if (a)
> the annex indicated that "none" was an appropriate option, or (b) if
> an assignment or selection of "none" (or equivalent wording, such as
> "no action") resulted in a requirement that made sense.
>
> The approach taken in dealing with ambiguous assignments is to place
> the assignments in a selection, with the null option included as the
> last selection. An alternative approach would have been a single
> assignment with "or 'none'", but the approach taken was felt to be
> more in line with the style of the CC.
>
> This interpretation has an effect on all elements that contain
> assignments or selections. Specifically, it prohibits "none" (or
> equivalent) unless the option is explicit, and clarifies the use of
> the selection operator to indicate how multiple options may be
> combined. For those components drawn from the CC, it is expected that
> this change only codifies existing practice. Explicitly stated
> elements containing assignments and selections in PPs and STs should
> be examined to determine if "none" should be provided as an explicit
> option, or if there should be stated restrictions on the combinations
> of options in a selection.
>
> This queue entry also removes a clause from FAU_GEN that complicates
> evaluation by eliminating original text when a particular selection
> option is chosen (for if the text is eliminated, it is unclear to the
> evaluator if the clause was accidentally omitted, or intentionally
> removed).
>
> Note: This interpretation is being applied to the CC as modified by
> I-0414, I-0416, I-0417, and CCIMB-INTERP-0019. As this is superseding
> I-0407 and I-0429, the changes made by those interpretations are
> ignored.
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov