Re: ST evaluation on threats and security objectives

Subject: Re: ST evaluation on threats and security objectives
From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Wed, 26 Feb 2003 10:27:55 -0500
Content-Type: multipart/alternative; boundary="=====================_88459015==.ALT"
In-Reply-To: <008301c2dd76$7b548010$0815a8c0@yokota>
References: <5.2.0.9.0.20030220110209.00aaeae0@mail.nist.gov> <5.2.0.9.0.20030221092424.00af7680@mail.nist.gov> <5.1.1.6.0.20030224173415.00a255e0@mail.nist.gov>

At 04:16 AM 2/26/2003, YOKOTA HIROFUMI wrote:

My impression on this change is:

1. The effort to list 'all' threat would not be a point of the ST evaluation.

"All", like 'never' and similar words, are problematic. For the practical application of the CC to evaluations, a better reading of a phrase like "lists all threats" is "no obvious threats have been overlooked". Also, the PP or ST evaluator is still expected to make sure that the environmental section is not inconsistent with whatever is described in the Introduction and TOE Description.

2. The 'sutability' of security objectives woud not be a point of the ST evaluation.

Suitability of the objectives remains a point of the ST evaluation.

If so, my opinion is that the interpretaion is to be applied to the current CC
( at leas, for EAL1 to EAL3 evaluation).

How do you think about this?

The CC makes no distinctions between ST/PP evaluations based upon what assurances are included in the ST or PP. So, whatever applies to one ST/PP applies to all.

Cheers,
Gary

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20877-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
**************************************************************************

Follow-Ups:
- Re: ST evaluation on threats and security objectives
  - From: "YOKOTA HIROFUMI" <yokota-hirofumi@jqa.jp>

References:
- Re: ST evaluation on threats and security objectives
  - From: Gary Stoneburner <gary.stoneburner@nist.gov>
- Re: ST evaluation on threats and security objectives
  - From: Gary Stoneburner <gary.stoneburner@nist.gov>
- Re: ST evaluation on threats and security objectives
  - From: Gary Stoneburner <garystoneburner@comcast.net>
- Re: ST evaluation on threats and security objectives
  - From: "YOKOTA HIROFUMI" <yokota-hirofumi@jqa.jp>

Prev by Date: Re: Level of description on Security requirements for the IT environment
Next by Date: Re: Level of description on Security requirements for the IT environment
Prev by thread: Re: ST evaluation on threats and security objectives
Next by thread: Re: ST evaluation on threats and security objectives

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov