TSFI Determination

["Arnold, James L. Jr." <JAMES.L.ARNOLD.JR@saic.com>]

CCv3.1r2p1 (para 93) indicates: TSF interface (TSFI) - a means by which
external entities (or subjects in the TOE but outside of the TSF) supply
data to the TSF, receive data from the TSF and invoke services from the
TSF.

CCv3.1r2p3 (section A.2.2) figure 20 and surrounding text indicates that
a TOE might be associated with a server (i.e., providing some service
the TSF depends on) in the IT environment. Figure 20 and para 557 are
explicit that the applicable interface is not a TSFI and need not be
analyzed or discussed - that will apparently be handled in an ACO
evaluation.

CCv3.1r2p2 includes requirements such as FPT_ITI.1 where the TSF shall
provide a capability to detect modification of transmitted TSF
data...and to verify integrity of transmitted data (presumably received
by the TSF).

Is there some distinction between 'another trusted IT product' and a
'server upon which the TSF depends'? Should FPT_ITI.1, for example, NOT
be used when considering a server upon which the TSF depends, for
example?

Consider the case of signature updates for a virus scanner. The TSF
depends on the corporate virus signature server to deliver regular and
timely updates in order to be most effective. Presumably, the signatures
must be protected in transit (e.g., across the Internet). As such, it
appears that a requirement such as FPT_ITI.1 might be appropriate if the
TSF were to, for example, verify digital signatures on newly received
signatures. 

However, since the TSF depends on this server, the example presented in
CCv3.1r2p3 (para 557) indicates pretty clearly that the applicable
interface is not a TSFI and need to be discussed or analyzed. How then
should an evaluation team determine conformance to FPT_ITI.1? No TSFI,
no description, perhaps no tests...