Re: I-0453: TSF And Support Code

Subject: Re: I-0453: TSF And Support Code
From: Nir Naaman <nnir@netvision.net.il>
Date: Sun, 24 Nov 2002 03:07:55 -0800
Content-type: multipart/mixed; boundary="------------InterScan_NT_MIME_Boundary"
References: <25CF7139EBC0D1118A010060972A16C0038FEE11@wfhqex02.gfgsi.com>

Principal and supporting SFRs are introduced to satisfy security objectives.
If some SFRs are evaluated at a lower level of assurance, this means that:
1. Either we have a lower level of assurance that the corresponding threat
(or OSP or assumption) is really countered;
2. Or we have reason to believe that the given SFR is "optional".

(This under the "Trusted Non-TSF" category assumptions).

Isn't a better way to handle this kind of thing is to break down the
problem into SFR packages, and evaluate each at an appropriate EAL?

For example, a very common configuration "in the wild" is to locate
hosts on a segment protected by a firewall. If the TOE is the total system
(e.g. air traffic control system), still we might want some pieces to be
evaluated at a higher assurance level, e.g. the firewall in this case.

Another closely-related aspect is "optional" SFRs. This is not supported
today by the CC syntax. The point is that sometimes you would like
to specify some functionality, but depending on the operational environment,
it may or may not be needed.

For example, for an EAL2 TOE running in an EAL5-evaluated operating
system, perhaps AMT is "optional".

But if this is an EAL5 TOE running on an EAL2 operating system, and
AMT is not known to be correct (i.e. not evaluated to the higher level),
what have you gained?

Nir
----- Original Message -----
From: Knoke, Jim
To: Multiple recipients of list
Sent: Friday, November 22, 2002 4:37 AM
Subject: RE: I-0453: TSF And Support Code

I'm not sure I understand how one would adjust a PP or ST based on risk. If you are saying that that AMT, for example, should simply not be included if the risk of not doing AMT is acceptable, I think that is too black-and-white. I think the proposed interp is trying to establish a middle ground where AMT can be included because it is useful, and will be evaluated to some extent, but will not have to meet the full extent of all assurance requirements.
-----Original Message-----
From: Gary Stoneburner [mailto:stoneburner@nist.gov]
Sent: Thursday, November 21, 2002 4:25 PM
To: Multiple recipients of list
Subject: RE: I-0453: TSF And Support Code

The PP or ST can make assumptions about this risk and produce a requirement set reflecting those assumptions. Without an explicit statement of the risk acceptance, we have no choice but to treat all parts of the TSF (that is, whatever we have to rely upon) the same.

Follow-Ups:
- Re: I-0453: TSF And Support Code
  - From: "Daniel P. Faigin" <faigin@solarium.aero.org>

References:
- RE: I-0453: TSF And Support Code
  - From: "Knoke, Jim" <Jim.Knoke@GetronicsGov.com>

Prev by Date: RE: I-0453: TSF And Support Code
Next by Date: Re: FCS_COP assignment
Prev by thread: RE: I-0453: TSF And Support Code
Next by thread: Re: I-0453: TSF And Support Code

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov