|Subject:||"Other properties" in specified by assignment|
|CC Part #1 Reference:|
|CC Part #2 Reference:||CC Part 2, FMT_MSA
CC Part 2, FMT_REV
CC Part 2, FPT_AMT
|CC Part #3 Reference:|
The CC paradigm is to have PP/ST authors specify "other" information through assignment. The FMT_MSA.3, FPT_AMT.1 and FMT_REV.1 componenent do not follow this paradigm; the Part 2 annex explicitly calls out the use of refinement to specify the other property.
For example, in FMT_MSA.3.1, the selection of "other property" for the default values is specified by assignment.
In the Common Criteria, when arbitrary information is added, this is typically done through the assignment operation. Refinement is used in those cases where additional implementation detail is provided. This particular issue appears to be due to a case where the CC authors mistakenly used refinement instead of assignment, probably to avoid embedding an assignment within a selection. This interpretation corrects the error by making the assignment explicit.
The method of specifying “other” information in assignment operations
should be consistently presented in the CC.
To address this interpretation, the following changes are made to CC v2.1 Part 2:
FMT_MSA.3.1 The TSF shall enforce the [assignment: access control SFP, information flow control SFP] to provide [selection: restrictive, permissive, [assignment: other property]] default values for security attributes that are used to enforce the SFP.
FMT_REV.1.1 The TSF shall restrict the ability to revoke security attributes associated with the [selection: users, subjects, [assignment: other additional resources]] within the TSC to [assignment: the authorized identified roles].
FPT_AMT.1.1 The TSF shall run a suite of tests [selection: during initial start-up, periodically during normal operation, at the request of an authorized user, [assignment: other conditions]] to demonstrate the correct operation of the security assumptions provide by the abstract machine that underlies the TSF.
In FMT_MSA.3.1, the PP/ST author should list the access control SFP or the information flow control SFP for which the security attributes are applicable.
In FMT_MSA.3.1, the PP/ST author should select whether the default property of the access control attribute will be restrictive, permissive, or another property.
In FMT_MSA.3.1, if the PP/ST author selects another property, the PP/ST author should specify the desired characteristics of the default values.
In FMT_MSA.3.2, the PP/ST author should specify the roles that are allowed to modify the values of the security attributes. The possible roles are specified in FMT_SMR.1.
In FMT_REV.1.1, the PP/ST author should specify whether the ability to revoke security attributes from users, subject, objects, or any additional resources shall be provided by the TSF.
In FMT_REV.1.1, the PP/ST author should, if additional resources is selected, specify whether the ability to revoke their security attributes shall be provided by the TSF.
In FMT_REV.1.1, the PP/ST author should specify the roles that are allowed to modify the functions in the TSF. The possible roles are specified in FMT_SMR.1.
In FMT_REV.1.2, the PP/ST author should specify the revocation rules. Examples of these rules could include: “prior to the next operation on the associated resource”, or “for all new subject creations”.
In FPT_AMT.1.1, the PP/ST author should specify when the TSF will execute the abstract machine testing, during initial start-up, periodically during normal operation, at the request of an authorized user, or under other conditions. If the tests are run often, then the end users should have more confidence that the TOE is operating correctly then if the tests are run less frequently. However, this need for confidence that the TOE is operating correctly must be balanced with the potential impact on the availability of the TOE, as often times, self tests may delay the normal operation of a TOE.
In FPT_AMT.1.1, the PP/ST author should, if other conditions is selected, specify the frequency with which the self tests will be run.
No additional rationale is required, the interpretation speaks for itself.