RE: FIA_UID interpretations
- Subject: RE: FIA_UID interpretations
- From: "Apted, Tony J. [RA]" <ANTHONY.J.APTED@saic.com>
- Date: Tue, 1 Mar 2005 16:21:07 -0500
- Content-Type: text/plain; charset="iso-8859-1"
- Return-Receipt-To: "Apted, Tony J. [RA]" <ANTHONY.J.APTED@saic.com>
do you know in what form the "interpretation" was made (e.g., Observation
Decision), and by whom (CCEVS, or another scheme)?
With regard to the TCSEC, unique identification is a capability at C2 and
above; at C1, such a capability is not required. And of course, the reason
for unique identification is to enable the TSF to enforce individual
Most TSFs can't enforce unique identification anyway (in the sense that one
and only one user is ever associated with a particular user identity),
unless they use a biometric mechanism (which still gives you a less than 1.0
probability of uniqueness). Procedural measures have to be relied upon to
prevent (discourage?) sharing of authentication data by users (be that
passwords, a token and PIN, or whatever). All the TSF can do is provide the
capability for individual accountability by providing a mechanism
(individual user accounts) and limiting what actions a user can perform
before providing identification, and authentication of that identification,
to the TSF.
That means it's pretty difficult to craft a requirement for unique
identification - something like the following might work, and I guess could
be used as an explicitly stated requirement.
FIA_UID.3 Unique User Identification
Hierarchical to: No other components
FIA_UID.3.1 The TSF shall provide the capability to uniquely identify each
individual user of the TOE.
Michelle Ruppel wrote:
> I recently learned that FIA_UID.1 and FIA_UID.2 have been successfully
> to allow group identification. So, for example, if multiple
> users have the
> password and login to the system as root that can satisfy
> FIA_UID.1 and/or
> TCSEC did require unique identifiation and I had always interpreted
> FIA_UID.1/2 to
> require unique identification.
> Will the new version of CC Part 2 be updated to provide SFRs requiring
> unique identification?
> Was FIA_UID.1/2 originally intended to allow for group identification?
> - Michelle Ruppel
> Saffire Systems
Date Index |
Thread Index |
Problems or questions? Contact firstname.lastname@example.org