RE: TSS Level of Detail/PD 0063: What Information Must Be Provided in the TSS

Subject: RE: TSS Level of Detail/PD 0063: What Information Must Be Provided in the TSS
From: "Daniel P. Faigin" <faigin@aero.org>
Date: Fri, 28 Jul 2006 05:34:19 -0700
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <003701c6b210$1bb47530$0200a8c0@AlexDell>
References: <44C87EEF.23728.7D7AFC@localhost> <003701c6b210$1bb47530$0200a8c0@AlexDell>
Sender: faigin@solarium.aero.org


On Fri, 28 Jul 2006 01:42:25 -0400 (EDT), Alex Ragen <aragen@netvision.net.il>
said: 

> Though the goal of this clarification seems straightforward and clear, it
> still leaves evaluators/validators with a judgment call: how much detail is
> required in the publicly available ST?

It's hard to give a hard and fast answer that applies to all situations. It's
easy to know what too little is: just regurgitating the SFR. It's easy to know
what too much is: spilling the proprietary beans. Describing where the correct
middle is is difficult.

> It's not just a question of balancing
> the customer's need to know how something is done with the vendor's need to
> keep the details secret from competitors. These details must also be kept
> secret from the customers' users, who may be looking for ways around the
> TOE's  annoying and inconvenient security mechanisms. 

I agree the proprietary details shouldn't be spilled, but there is a middle
ground. Let's look at an operating system. I think we would agree it is
insufficient to say that "The TOE has a feature to protect files.". I think we
would agree it is too much information to say in the ST the layouts of ACLs or
protection bits, and how these structures are loaded and checked on a call. I
think the middle ground is something along the lines of: Whenever a file is
opened, a check is made of the user's identity against an access control
list... together with a description of the logical policy of the check.

> Why do the details have to be spelled out in the Security Target, where
> everyone can see them? Can't at least some of them left for the non-public
> HLD and LLD docs? And if so, shouldn't there be clearer guidelines as to
> what goes where?

All the details don't have to be spelled out. What is needed is one or two
lines of a very-high-level implementation summary. The proprietary specifics
are in the HLD and LLD.

Daniel

Follow-Ups:
- FDP_ITT.4 Attribute-based integrity monitoring
  - From: "YOKOTA HIROFUMI" <yokota-hirofumi@jqa.jp>
- wordings are not consistent in CCV3.1
  - From: "YOKOTA HIROFUMI" <yokota-hirofumi@jqa.jp>
- Re: TSS Level of Detail/PD 0063: What Information Must Be Provided in the TSS
  - From: "YOKOTA HIROFUMI" <yokota-hirofumi@jqa.jp>

References:
- Re: TSS Level of Detail/PD 0063: What Information Must Be Provided in the TSS
  - From: "Observation Decisions Review Board" <faigin@aero.org>
- RE: TSS Level of Detail/PD 0063: What Information Must Be Provided in the TSS
  - From: Alex Ragen <aragen@netvision.net.il>

Prev by Date: Re: Classification in CC V3.0
Next by Date: Re: TSS Level of Detail/PD 0063: What Information Must Be Provided in the TSS
Prev by thread: RE: TSS Level of Detail/PD 0063: What Information Must Be Provided in the TSS
Next by thread: Re: TSS Level of Detail/PD 0063: What Information Must Be Provided in the TSS

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov