Re: I-0434: Treatment Of TSF Components Provided By A Third-Party

Subject: Re: I-0434: Treatment Of TSF Components Provided By A Third-Party
From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Thu, 07 Aug 2003 17:07:47 -0400
Content-Type: multipart/alternative; boundary="=====================_520786234==.ALT"
In-Reply-To: <4.3.2.7.2.20030807104950.01c85f50@10.3.0.3>
References: <200308071342.JAA25083@godzilla.aero.org> <Your message of "Thu, 31 Jul 2003 19:51:13 PDT." <3F2971C8.2960.34F249@localhost>

This discussion is about, I think :-), something akin to a capability verses product PP. PP: Here is the capability I need and there are parts that can be in an evaluated TOE and parts that can be in the environment around that TOE. (Or this is the capability I need and any set of products that provide it is OK my me.) Response (ST) is something like: Your capability needs are met by my TOE when used in the environment I identify.

This can be a very useful way to specify and respond. It is not currently how the CC envisions the world works. Unfortunately, the world is not always CC compliant :-).

Cheers,
Gary

At 04:12 PM 8/7/2003, Tom Benkart wrote:

This question digresses somewhat from Ken's comments, but it is related.

It may be acceptable to a PP author for some (presumably less critical) requirements to be allocated to either the TOE or the IT Environment. Allocation to the TOE could be "preferred" while allocation to the IT Environment could still be "acceptable." How should the concept of preferred versus acceptable be communicated in a PP?

One example of this could be the use of third party database products for data storage. The PP author may prefer an integrated product solution (that includes the database in the TOE), but still find a partial third party solution (with the database outside the TOE boundary) acceptable.

And of course the most obvious example is an application software TOE that wants to exclude the OS.

There are many third party products that could fall into this category. If the concept of preferred versus acceptable can be included in PPs, it may help to avoid some of the requests for special treatment of third party products. Of course, if the mechanism isn't simple and easily understood, then it is unlikely to be used by PP authors.

Tom Benkart

At 09:54 AM 8/7/2003 -0400, you wrote:

I'm a little confused by the appended clause in the "Statement"
portion of the proposed interp:

"...unless the PP or ST explicitly indicates otherwise."

Based on the discussion thus far in the chain and the text in the
"support" section I take this to mean that the PP or ST may explicitly
put requirements on the third-party stuff in the IT environment.

However, the first part of the statement ("Third-Party components
included in the TSF...") seems to presume that the third-party
components are part of the TSF, so I'm not sure how to interpret
"unless the PP or ST explicitly indicates otherwise." It seems to be
saying that a PP or ST author can allow third-party components (that
is, components for which first-party-level evidence is not available)
to be part of the TSF and then specify how they are to be evaluated;
essentially a "roll your own CEM." I hope this isn't the intent of
the statement.

If I had my druthers, I think the correct statement should be:

Third-Party components included in the TOE are treated no
differently from components provided directly by the developer,
unless the PP or ST explicitly allocates requirements to be
satisifed by these components to the IT Environment.

I think the last clause is actually unnecessary and could be removed
without loss of meaning.

Of course, this still does not address the main theme of this thread
so far (can less assurance be applied to some third-party components
in the TOE that are *not* part of the TSF), but from a statement
posted about I-0453 it appears that the NIB (or someone) is working on
a separate interpretation for this issue.

KBEIII

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
* http://csrc.nist.gov/staff/stoneburner/gshome.html
**************************************************************************

References:
- Re: I-0434: Treatment Of TSF Components Provided By A Third-Party
  - From: Ken Elliott III <elliott@godzilla.aero.org>
- Re: I-0434: Treatment Of TSF Components Provided By A Third-Party
  - From: "NIAP Interpretations Board" <faigin@aero.org>
- Re: I-0434: Treatment Of TSF Components Provided By A Third-Party
  - From: Tom Benkart <teb@coact.com>

Prev by Date: Re: I-0434: Treatment Of TSF Components Provided By A Third-Party
Next by Date: I-0472: Correction Of Definition Of Lattice
Prev by thread: Re: I-0434: Treatment Of TSF Components Provided By A Third-Party
Next by thread: RE: I-0434: Treatment Of TSF Components Provided By A Third-Party

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov