Categorisation of SFRs for the TOE and for the IT environment

Subject: Categorisation of SFRs for the TOE and for the IT environment
From: "Agievich Sergei V." <agievich@bsu.by>
Date: Thu, 1 Apr 2004 11:38:15 +0300
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="koi8-r"
Importance: high
Return-Receipt-To: "Agievich Sergei V." <agievich@bsu.by>


We plan to develop a PP for software cryptographic modules that run under 
a general-purpose operational system. During the preliminary analysis, 
we encounter a problem with categorisation of SFRs for the TOE (software
module)
and for the IT environment (operational system, OS). 
Let us illustrate this problem with an example.

Let the τοε implement role-based access control policy. 
Before using the TOE functionality, an end-user must be identified and
authenticated. 
The following implementations of I &A are possible:

a) the OS identifies and authenticates end-users, and maps their identity 
to an OS role. The TOE roles are equivalent to the OS ones;

b) the OS identifies and authenticates end-users, and maps their identity 
to the OS role "TOE User". Members of this role have access to the TOE
authentication service. The TOE identifies and authenticates members 
of the role "TOE User", and maps their identity to a TOE role;

c) the TOE identifies and authenticates all users of the OS, and maps their
identity 
to a TOE role.

We suppose that any of the scenarios above can be implemented. 
Developers can choose a target scenario during the ST creation and their
choice
yields some combination of SFRs for the TOE and SFRs for the IT environment.
Now, how to declare all such combinations in the PP? 

In our opinion, the most flexible solution consists in the series of
refinements 

"The TSF shall..." --> "The [selection: TSF, IT environment, TSF and IT
environment] shall..."

Does this solution meet the concept of the CC?

P.S. We have been embarrassed by the following paragraph 
(CC, part 1, section 4.3.2):
The intent of determining security objectives is to address all of the
security concerns
and to declare which security aspects are either addressed directly by the
TOE or by
its environment. This categorisation is based on a process incorporating
engineering
judgement, security policy, economic factors and risk acceptance decisions.


Sergey Agievich
National Research Center for Applied Problems of Mathematics and Informatics
Belarusian State University
Fr. Skorina av. 4, Minsk 220050, Belarus

Follow-Ups:
- Re: Categorisation of SFRs for the TOE and for the IT environment
  - From: "YOKOTA HIROFUMI" <yokota-hirofumi@jqa.jp>

Prev by Date: Re: New ETR Format (LabGram#027)
Next by Date: Re: Categorisation of SFRs for the TOE and for the IT environment
Prev by thread: RE: Categorisation of SFRs for the TOE and for the IT environment (flawed PPs)
Next by thread: Re: Categorisation of SFRs for the TOE and for the IT environment

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov