Re: wordings are not consistent in CCV3.1

["Dirk-Jan Out" <out@itsef.com>]

On Wednesday 11 October 2006 09:25, YOKOTA HIROFUMI wrote:
> Hi,
>
> I think, it is not easy to see the difference of the following wordings in
> CC(V3.1) Part2.
>
> 1. "covered by the SFP" --- P57  FDP_ACC.1.1
> 2. "controlled under the SFP" --- P73 FDP_ITC.1.1
> 3. "controlled by the SFP(s) --- P76 FDP_ITT.2.2
> 4. "controlled by the TSF" --- P82 FDP_SDI.1.1
>
> Are they all the same?

Hard to say, since it is not so clear what the SFRs actually mean.
>
> (1) FDP_ACC.1.1 The TSF shall enforce the [assignment: access control SFP]
> on [assignment: list of subjects, objects, and operations among subjects
> and objects covered by the SFP].

Here I am inclined to think that the assignment defines the scope of control 
as alluded to in para 18 of Part 2. In which case the words "covered by the 
SFP" is self-referential and hence doesn't mean anything. In my opinion this 
should read: 
(1) FDP_ACC.1.1 The TSF shall enforce the [assignment: access control SFP]
on [assignment: list of subjects, objects, and operations among subjects].

> (2) The TSF shall enforce the [assignment: access control SFP(s) and/or
> information flow control SFP(s) when importing user data, controlled under
> the SFP, from outside of the TOE.

This one is more difficult, as it is inconsistent with the definitions.
- You cannot import user data into a TOE as para 36 defines User Data to be in 
a TOE. You would import <other_word> into a TOE and create User Data from it. 
- I do not understand how an SFP applies to user data, as para 36 states that 
Data is stored in resources, and it is not all clear how data and resources 
relate to information and objects (which is what SFPs apply to). Paras 37 and 
38 are not very clear on this. 

> (3) FDP_ITT.2.2 The TSF shall separate data controlled by the SFP(s) when
> transmitted between physically-separated parts of the TOE, based on the
> values of the following: [assignment: security attributes that require
> separation].

The same argument applies as on the previous one. In addition, it is not so 
clear what the security attributes it refers to are actually security 
attributes of. 

> (4) FDP_SDI.1.1 The TSF shall monitor user data stored in containers
> controlled by the TSF for [assignment: integrity errors] on all objects,
> based on the following attributes: [assignment: user data attributes].

The term container is difficult to understand. The last sentence of para 30 
defines it as a passive entity. Para 33 then defines all these passive 
entities as objects. So container=object and this makes the sentence hard to 
understand. 
Para 35 does not list "user data" as something that may have an attribute, so 
the last assignment is also not a valid one. 
I *think* but cannot be sure that the SFR is actually incomplete, and that it 
needs an assignment somewhere as to which data, containers, resources, 
information and/or objects it actually applies to. 

==================

So, in conclusion, I don't think it is possible to say what the terms 
"controlled" and "covered" actually mean in each SFR, as the rest of the 
words in the SFRs are used outside their definition. 

Best regards,

Dirk-Jan
-- 
Dirk-Jan Out
brightsight bv        
Delftechpark 1, 2628 XJ Delft, The Netherlands
T +31 15 269 2525, F +31 15 269 2555, www.itsef.com