Re: A.NO_EVIL for TOE with limited privileges

["Observation Decisions Review Board" <faigin@aero.org>]

The ODRB thanks Michelle for her question and all those who have commented on 
this issue.  

The ODRB considers A.No_Evil a reasonable (but irrelevant) assumption for any 
privileged user role.  If a particular user role, admin or otherwise, has an 
associated privilege, than one can reasonably assume A.No_Evil since the user 
role was explicitly given authorization for a particular set of product 
functionality. This inherently dictates that the user is trusted within that 
well-defined role. However, it is not reasonable to assume A.No_Evil for either 
a user with no special privilege or for a privileged user outside their defined 
role (e.g. a network administrator is assumed non-hostile for networking 
functions but is not necessarily assumed non-hostile for audit functions).   

The ODRB recommends adding text to A.No_Evil when it is utilized to clearly 
state this assertion. This can be accomplished in multiple ways.  The ST author 
could have multiple A.No_Evil statements each specifying a particular admin 
group (e.g. A.No_Evil_Network, A.No_Evil_Audit) or one generic statement that 
simply states that administrators are non-hostile, appropriately trained and 
follow all administrator guidance in their defined role. The details regarding 
the boundaries of these roles are then expressed in the FMT class.  

If the A.No_Evil assumption is not present in the ST, one can still rightfully 
assume that the administrator, or any other privileged user role, is non-
hostile, appropriately trained and follows all administrator guidance for their 
defined role.  Therefore, whether the assumption of A.No_Evil is present or not 
in the ST, it is assumed unless there is an explicitly stated threat against a 
privileged user role.