RE: TSS Level of Detail/PD 0063: What Information Must Be Provided in the TSS
On Fri, 28 Jul 2006 01:42:25 -0400 (EDT), Alex Ragen <email@example.com>
> Though the goal of this clarification seems straightforward and clear, it
> still leaves evaluators/validators with a judgment call: how much detail is
> required in the publicly available ST?
It's hard to give a hard and fast answer that applies to all situations. It's
easy to know what too little is: just regurgitating the SFR. It's easy to know
what too much is: spilling the proprietary beans. Describing where the correct
middle is is difficult.
> It's not just a question of balancing
> the customer's need to know how something is done with the vendor's need to
> keep the details secret from competitors. These details must also be kept
> secret from the customers' users, who may be looking for ways around the
> TOE's annoying and inconvenient security mechanisms.
I agree the proprietary details shouldn't be spilled, but there is a middle
ground. Let's look at an operating system. I think we would agree it is
insufficient to say that "The TOE has a feature to protect files.". I think we
would agree it is too much information to say in the ST the layouts of ACLs or
protection bits, and how these structures are loaded and checked on a call. I
think the middle ground is something along the lines of: Whenever a file is
opened, a check is made of the user's identity against an access control
list... together with a description of the logical policy of the check.
> Why do the details have to be spelled out in the Security Target, where
> everyone can see them? Can't at least some of them left for the non-public
> HLD and LLD docs? And if so, shouldn't there be clearer guidelines as to
> what goes where?
All the details don't have to be spelled out. What is needed is one or two
lines of a very-high-level implementation summary. The proprietary specifics
are in the HLD and LLD.
Date Index |
Thread Index |
Problems or questions? Contact firstname.lastname@example.org