Re: FDP_ITT.4 Attribute-based integrity monitoring

["NIAP Interpretations Board" <faigin@aero.org>]

The NIB can see where the FDP_ITT.4.1 requirement in its prototype form
in the CC might be confusing.  It is written so as to link a number of
policies with a number of errors based upon a number of attributes.  In
its 'unrefined' form it is not readily comprehensible.  Nevertheless,
the NIB believes it is accurate and useable as is.  The NIB would like
to note, however, that the CC permits the use of the refinement
operation to improve readability.  In the CC, FDP_ITT.4.1 is:

        FDP_ITT.4.1:  The TSF shall enforce the [assignment: access
        control SFP(s) and/or information flow control SFP(s)] to
        monitor user data transmitted between physically-separated parts
        of the TOE for the following errors: [assignment: integrity
        errors], based on the following attributes: [assignment:
        security attributes that require separate transmission
        channels].

An example of refinement used to improve readability might be:

        The TSF shall enforce the *Policies* to monitor user data
        transmitted between physically-separated parts of the TOE for
        the following errors: *Errors*, based on the following
        attributes: *Attributes* in the following table.

       .-------------.--------------.--------------.----------------.
       |Requirement: |  Policies:   |   Errors:    |    Attributes: |
       +-------------+--------------+--------------+----------------+
       |FDP_ITT.4.1a |  DAC         |   access     |    Userid      |
       +-------------+--------------+--------------+----------------+
       |FDP_ITT.4.1b |  integrity   |   checksum   |    Checksum    |
       `-------------'--------------'--------------'----------------'

Associating each policy with its particular errors and attributes in
multiple iterations of the SFR will always improve readability yet still
maintain the structure intended by the CC and the meaning intended by
the ST author.