|
Hi,
I think the assumption A.NO_EVIL itself is
not bad.
But, is it necessary for ST authors (usually,
TOE developpers) to think out the measures and describe them in the
security objectives, and in the user/administrator guidance? ( although,
this is the CC requirement. )
Those measures (for A.NO_EVIL) would be
different in the actual environment.
Also, developers, evaluators and
validators might each differ in their opinion about the sufficiency
(or just about the written statement in the security objectives).
I propose that the ST requires to
list possible risks and threats explicitly together with the
assumption A.NO_EVIL, rather than to describe the measures.
If the assumption is not fulfilled, it should be the
responsibility of the operational organization to accept the
risk.
Similar assumption would be:
A.WORK_CORRECTLY"The
underlying OS machine works correctly."
Regards,
Hirofumi Yokota
|