PD 0139: CC V3 Conformance Type for Existing CC V2 PPs

Subject: PD 0139: CC V3 Conformance Type for Existing CC V2 PPs
From: "Observation Decisions Review Board" <faigin@aero.org>
Date: Thu, 31 May 2007 08:36:08 -0700
Content-description: Mail message body
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII
Priority: normal


[During its May meeting, the ODRB issued the following PD. Any comments or 
corrections will be considered during the next ODRB meeting.]

PD 0139: CC V3 Conformance Type for Existing CC V2 PPs

ISSUE

The new Common Criteria V3.1 Revision 1 Part 1, paragraph 437, states a
requirement that PPs define a conformance type of either "strict" or
"demonstrable". As none of the currently existing PPs contain such a
statement, handling of the ASE_CCL.1-6 and related requirements needs to
be defined.


RESOLUTION

Given the restrictions stated in D.2, paragraph 441, for additional
security objectives added to security targets beyond those in protection
profiles, strict conformance is too restrictive, and therefore the most
appropriate "default" conformance type should be "demonstrable".  All
PP's are considered to be of type demonstrable until they are revised to
include a conformance type.


RATIONALE

"Demonstrable Conformance" is the broadest level of conformance,
applying to all cases where the TOE provides a degree of security which
is at least the same as that which the PP levies upon the TOE (or
comparable to it): 

1. The stated threats are addressed through the enforcement of the SFRs
   stated in the PP.  

2. The stated threats are addressed through the enforcement of SFRs that
   are comparable to (but not the same as) those stated in the PP. 

3. Threats that the PP omits (or relegates to the environment) are
   countered by the TOE. 

That is to say, a TOE compliant with a PP that allows demonstrable
compliance will provide the security features called for by the PP,
perhaps more, and/or perhaps differently.

"Strict Conformance" is more restrictive.  Specifically paragraph 441 in
section D.2, states under these headings:

* "Security problem definition": "The ST shall contain the security
  problem definition of the PP, may specify additional threats and OSPs,
  but may not specify additional assumptions."

* "Security objectives": "[The ST] shall contain all security objectives
  for the operational environment ... but may not specify additional
  security objectives for the operational environment;"  

Those prohibitions against additional assumptions and additional
security objectives for the environment are at variance with the
philosophy regarding PP's in CC V2.  An example of which is in section
B.2.8, paragraph 232:  "If the ST claims compliance with the
requirements of a PP but extends that PP by the addition of further
objectives and requirements, then the ST shall define the additions ..."

Prev by Date: Re: The meaning of "not otherwise described"
Next by Date: Re: Wordings are not consistent in CCV3.1
Prev by thread: Re: FDP_ITT.4 Attribute-based integrity monitoring
Next by thread: PD 0137: CC V3 PP Conformance Type Consistency

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov