Re: PD 0108: FTP_ITC.1.3 Specifies The Functions For Which A Trusted Channel Is Provided

Subject: Re: PD 0108: FTP_ITC.1.3 Specifies The Functions For Which A Trusted Channel Is Provided
From: "Observation Decisions Review Board" <ccevs-odrb@nist.gov>
Date: Thu, 26 Aug 2004 09:47:30 -0700
Content-description: Mail message body
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII
Priority: normal


The ODRB thanks Mr. Tom Benkart for his 20 July 2004 suggestions for improving 
the wording of PD 0108, FTP_ITC.1.3 Specifies the Functions for Which a Trusted 
Channel is Provided.  As a result of his comments, the ORDB will be issuing a 
revised PD.

The ODRB agrees with Tom's first suggestion that the first sentence of the 
Resolution, "It is acceptable to replace the CCv2.1/2.2 version of FTP_ITC.1.3 
with the following text," be replaced with "It is acceptable to use an 
explicitly stated SFR that replaces the CCv2.1/2.2 version of FTP_ITC.1.3 with 
the following text." 

While Tom's second comment expressed his concern that "some text from the 
original OR is still included (namely...)" in paragraph 3 under Support, the 
ODRB thought that information should be retained since it provides good 
examples of the functions for which a trusted channel might be required.  
However, the ODRB decided to clarify that the information indeed identifies 
examples; therefore, the ORDB plans to remove the parentheses and change the 
sentence to the following: "The trusted channel must be used for the functions 
listed in the assignment, for example, password-based authentication functions, 
replication operations, remote management of directory service data." 

Lastly, Tom suggested, "It might be helpful to include in the PD a statement 
that the TSF is not required to enforce usage of the trusted channel by the 
remote trusted IT product."  The ORDB agrees that such a statement is useful 
and plans to add such a statement as a Note in the Resolution:
 
    Note: Use of the explicitly-specified requirement replacement does
    not imply that the TSF under evaluation must ensure that a remote
    trusted IT product performs the listed functions.  Instead, the TSF
    under evaluation is only required to use the channel for the
    indicated purpose(s) if the channel is initiated.  Furthermore,
    there is no requirement for the evaluator to verify that the remote
    trusted IT product initiates communication via the trusted channel.

Prev by Date: PD 0109: Multiple Hardware Models with Different SFRs in One Security Target
Next by Date: FDP_ITC.1.2 and the phrase 'security attibutes associated with the user data'
Prev by thread: Re: PD 0108: FTP_ITC.1.3 Specifies The Functions For Which A Trusted Channel Is Provided
Next by thread: PD 0107: IDSSPP v1.4: FPT_STM.1 Must Be Met by the TOE

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov