Re: I-0473: Ability To Obtain The Unique Identifier Of The TOE

["Dr.Ir. D.J. Out" <out@itsef.tno.nl>]

Arnold, James L. Jr. wrote:
> I am having second thoughts about my previous comment. I had indicated that
> the ability to identify the TOE should be associated with delivery and not
> installation, but now I am thinking there is not necessarily a problem with
> the current requirements. As identified in the "issue" of the proposed
> interpretation, the ACM informative text indicates that users should be able
> to identify the TOE. However, the applicable requirement indicates only that
> the TOE must be labeled.
> 
> Doesn't "labeled" imply that someone can actually access it? (If something
> is labeled and no one can tell - is it actually labeled?) If it doesn't, I'd
> suggest reworking the ACM element as necessary to make sure it does. 
> 
> Furthermore, the informative ACM text doesn't indicate anything about timing
> and hence it should be possible for a user to determine the applicable
> identity of their TOE at any time (as opposed to during installation or upon
> delivery). However, I don't think that this needs to be easy or obvious as
> obscurity may be important for some environments.

The CEM actually explicitly addresses all of this:

Para 521 "For example, a software TOE may display its name and version 
number during the startup routine, or in response to a command line 
entry". Para 520 also seems applicable.

In smartcard evaluations this is actually a drag: All ICs look alike 
from the outside, and developers like to use this to ensure that 
attackers need to spend effort to find out which one it is. So in some 
cases this version number hides behind authentication.

Dirk-Jan

-- 
TNO ITSEF BV
P.O. Box 96864          tel +31 70 374 0304
2509 JG The Hague       fax +31 70 374 0651
The Netherlands         www.commoncriteria.nl