Re: I-0473: Ability To Obtain The Unique Identifier Of The TOE
- Subject: Re: I-0473: Ability To Obtain The Unique Identifier Of The TOE
- From: "Dr.Ir. D.J. Out" <email@example.com>
- Date: Tue, 17 Feb 2004 17:54:24 +0100
- Content-Transfer-Encoding: 7bit
- Content-Type: text/plain; charset=us-ascii; format=flowed
- Organization: TNO-ITSEF BV
- References: <4E25ECBBC03F874CBAD03399254ADFDE10FB50@US-Columbia-CIST.mail.saic.com>
- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020408
Arnold, James L. Jr. wrote:
> I am having second thoughts about my previous comment. I had indicated that
> the ability to identify the TOE should be associated with delivery and not
> installation, but now I am thinking there is not necessarily a problem with
> the current requirements. As identified in the "issue" of the proposed
> interpretation, the ACM informative text indicates that users should be able
> to identify the TOE. However, the applicable requirement indicates only that
> the TOE must be labeled.
> Doesn't "labeled" imply that someone can actually access it? (If something
> is labeled and no one can tell - is it actually labeled?) If it doesn't, I'd
> suggest reworking the ACM element as necessary to make sure it does.
> Furthermore, the informative ACM text doesn't indicate anything about timing
> and hence it should be possible for a user to determine the applicable
> identity of their TOE at any time (as opposed to during installation or upon
> delivery). However, I don't think that this needs to be easy or obvious as
> obscurity may be important for some environments.
The CEM actually explicitly addresses all of this:
Para 521 "For example, a software TOE may display its name and version
number during the startup routine, or in response to a command line
entry". Para 520 also seems applicable.
In smartcard evaluations this is actually a drag: All ICs look alike
from the outside, and developers like to use this to ensure that
attackers need to spend effort to find out which one it is. So in some
cases this version number hides behind authentication.
TNO ITSEF BV
P.O. Box 96864 tel +31 70 374 0304
2509 JG The Hague fax +31 70 374 0651
The Netherlands www.commoncriteria.nl
Date Index |
Thread Index |
Problems or questions? Contact firstname.lastname@example.org