Re: Addendum to Policy Letter 13: Audit Generation Functionality

["Observation Decisions Review Board" <faigin@aero.org>]

The ODRB thanks the participants in this lively discussion concerning
the recently-posted Addendum to Policy Letter 13. Research into it has
revealed that an early draft version had been posted, which is why it
lacks the structure, CCEVS seal, and fields identifying effective date,
etc. that are present in other  policy letters and addenda. The
resulting discussion has generated numerous points that will need to be
addressed in the final version of the Addendum before it becomes
effective. That being said, there are a few points raised to which we
would like to respond now. 

Mr Arnold seems to believe that Policies that are not tied to a specific
section of the CC are beyond the scope of CCEVS's remit. This is not
true; the CCRA explicitly acknowledges that the signatories may specify
rules with which their evaluations must comply. 

Ms Ruppel notes that requiring audit generation is not always
appropriate in every case. We agree; an example that comes to mind is
the typical KVM switch. But we note that such a switch only connects the
input to the selected output - it does not perform any decision making
(where the result might differ based upon the input) that would be
expected to be audited.  The addendum should clarify that such
possibilities exist. But for the majority of TOEs, there will be some
security decisions being made that must be audited. Unless there is a
way to offload that audit generation into the environment (and nothing
springs to mind), that audit generation will have to be provided by the
TSF that makes the decision. 

We also acknowledge that the draft addendum does not indicate what level
of audit (minimal, basic, detailed) must be used. We expect the answers
to be similar to those required by 8500.2 and the DCID.