Re: Do we need explicitly stated IT security requirement for FPT_ STM?

["YOKOTA HIROFUMI" <yokota-hirofumi@jqa.jp>]

When we have a time server ( product)  to evaluate the security functions, I
see two options for defining the TOE, since the use of time values are not
necessarily for security purposes.

One is the TOE that includes:
 - an application that provides reliable time information.
 - I&A security function.
 - audit security function.
 - user data (time values) protection function.

Another one could be the TOE that includes:
- time stamps security function that provide reliable time information.
  ( this might be expressed by using FPT_STM or the refinement, or
explicitly stated IT security requirement )
- other ( fringe ) security functions ( I&A, audit, user data protection )

Then, which TOE could be preferable for the evaluation?
Does this selection purely depend on the customers strategy?
Or, is this an area that scheme or evaluation lab can recommend?

I personally prefer the second one, but I am not sure if this is common
sense and if this is preferable to the second one.

Yokota