Re: [I-0461: Definition of TSF: Relied Upon For The Correction Enforcement]
- Subject: Re: [I-0461: Definition of TSF: Relied Upon For The Correction Enforcement]
- From: "YOKOTA HIROFUMI" <firstname.lastname@example.org>
- Date: Tue, 1 Jul 2003 15:09:04 +0900
- Content-Transfer-Encoding: 7bit
- Content-Type: text/plain; charset="iso-8859-1"
- References: <3EFB60B9.FF1D3342@mitre.org>
I have an additional concern about the definition of TSF, TSP and the
Access control function could be divided into the following two parts.
1. Access control descision/enforcing functions
2. Access control rules
Consider the case that a product provides only #2(Access control rules) and
the IT environment provides #1(Access control descision/enforcing
This means that the behavior of the security functions are not performed by
the product, but performed by the IT environment.
This might be a plausible case that a software program only provides
critical security parameters and the platform performs all major security
functions according to the parameters.
In this case, by definition, could we consider the access control rules as
TSF/TSP for the product?
If so, what could be the behavior of the TSF to be tested (ATE)?
I may be wrong, but could this concern be a similar example as Arnold, James
L. Jr. wrote on March 03, 2003 in Subject: RE: I-0463: Platform Inclusion In
A TOE With FPT_SEP as the following?
> The larger more important issue is the handling of SFRs that cross the
> boundary between the TOE and its environment. This is a very common case,
> fact every PP written to date allows at least some aspects of its SFRs to
> fulfilled by the IT environment. This can readily be found by examining
> assumptions. If there is an assumption that the IT environment provides
> physical protection, then the TOE is unable to protect itself or reliably
> provide most of its security functions unless the IT environment helps it
> out by contributing to the ability to provide those security functions.
Date Index |
Thread Index |
Problems or questions? Contact email@example.com