How to use FTP_ITC (Inter-TSF trusted channel) ?

["YOKOTA HIROFUMI" <yokota-hirofumi@jqa.jp>]

How to use FTP_ITC (Inter-TSF trusted channel) ?

I've been pondering over it, and yet I'm not clear about it.

 

Could someone teach me the usage in the following situation?

-----------------------------------------------------

Situation:

 

     We are writing the ST for a TOE.

     The TOE communicates with other remote trusted IT products

     through the Internet.

 

     The security objectives for the TOE  is to protect

     the transmission data from modification.

-----------------------------------------------------

 

Then, it is no doubt that the TOE needs FDP_UIT.1(data exchange integrity).

Then, it needs to specify FTP_ITC.1(Inter-TSF trusted channel) too,

 since FDP_UIT.1 has the dependency on FTP_ITC.1.

 

The requirements of FTP_ITC.1 are:

a) to provide logically distinct communication channels

b) to provide assured identification of its end points

c) to provide protection of the channel data from modification.

d) to initiate communication by either the TSF or the remote trusted IT product

 

Now, in order to express the security functional requirements in the ST,

 we have the following choices.

 

Choice-1:

   The TOE fully supports FTP_ITC.1.

 

Choice-2:

   The TOE supports a part of FTP_ITC.1.

   For example, c) and d).

   The IT environment for the TOE support others (i.e., a) and b) ).

 

Choice-3:

   TOE does not support FTP_ITC.1.

   The IT environment fully supports FTP_ITC.1.

 

Choice-4:

   Both the TOE and the IT environment for the TOE

   do not support FTP_ITC.1

 

   However, the TOE supports c), and hence the TOE satisfies

   the security objectives without FPT_ITC.1. 

 

   So, the non-satisfaction of a dependency on FTP_ITC.1

   does not prevent the FDP_UIT.1 adequately addressing

   the security objectives. 

 

*****

Now, which one is the most plausible and acceptable choice

 for the writing of the ST?

 

Followings are my thoughts.

 

About the choice-1.

  Naturally, the TOE executes send/receive command

  to communicate with the remote trusted IT product.

  However, the network functions are mostly provided

  by the underlying OS (the IT environment of the TOE such as Weblogic6.1).

  Hence, this is not plausible.

 

About the choice-2.

  I think this is plausible.

 

About the choice-3

  I think this is not plausible, since d) is not the task of IT environment,

  but the task of the TOE.

 

About the choice-4 

  I think, FDP_UIT.1 needs definitely FPT_ITC.1 in the situation.  

  So, I think, this is not plausible.

 

  However, some people strongly suggest this is the correct choice.

  They say, "It is impossible to provide logically distinct

   communication channels in the Internet. So, it is imposible to use

  FPT_ITC.1 in the Internet communication. 

   

******

 

How do you think about this?

 

Regards,

    Yokota