Re: FMT_MSA.3: Restrictive/Permissive Default Values
I thought over this a little bit more.
While I agree that "default values" means "values automatically assigned by
the TSF" and this could be applied without a particular inconsistency in
FMT_MSA.3, I feel that this is an extended interpretation and the original
intent of the CC became vague.
Let's examine FMT_MSA.3 asgain.
The TSF shall enforce the [assignment: SFP] to provide [selection:
restrictive, permissive, other property] defaults values, for security
attributes that are used to enforce the SFP.
The TSF shall allow the [assignment: the authorised identified roles] to
specify alternative initial values to override the default values when an
object or information is created.
I understand FMT_MSA.3.1 as the following:
1. the TSF should define the property (restrictive, permissive, or other) of
Therefore, if the TSF provides attribute values automatically (i.e.,
copied) according to the obtained values (either implicitly or explicitly )
from the incomming message, we could not say this that the property is of
2. I think that FMT_MSA.3 has a fail-safe concept. If the TSF provides
attribute values automatically (i.e., copied) according to the obtained
(either implicitly or explicitly ) values from the incomming message, we
wouldn't see the concept in this.
3. While, in FMT_MSA.3.2, the phrase is clearly and explicitly stated that:
"override default values when an object or information is created", there is
no such condition stated in providing default values in FMT_MSA.3.1.
I suppose, this means that "defaults values" are mostly pre-defined before
an each information is created, not when an object or information is
Here is a scenario according to the above my understanding.
The TOE receives messages with an classification label ( Unclassified,
InternalUseOnly, Confidential );
FMT_MSA.3.1: The TOE provides a permissive default value "Unclassified" for
all incoming messages, or
FMT_MSA.3.1: The TOE provides a restrictive default value "Confidential" for
all incoming messages.
FMT_MSA.3.2: An administrator is allowed to override the default value by
the classification label of the message that is received.
Based on such scenario, I thought and wanted to say, in my previous message,
that the assignment : "nobody", "no authorized role", or "no subject" in
FMT_MSA.3.2 would be unlikely.
This is just an opinion.
I welcom and appreciate any your opinions on this.
Date Index |
Thread Index |
Problems or questions? Contact firstname.lastname@example.org