Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

[2600] Question related to ALC_FLR

To: STDS-2600@xxxxxxxxxxxxxxxxx
Subject: [2600] Question related to ALC_FLR
From: UEDA Shigeru <ueda.shigeru@xxxxxxxxxxx>
Date: Wed, 17 Oct 2007 09:16:59 +0900
List-Help: <http://listserv.ieee.org/cgi-bin/wa?LIST=STDS-2600>, <mailto:LISTSERV@LISTSERV.IEEE.ORG?body=INFO%20STDS-2600>
List-Owner: <mailto:STDS-2600-request@LISTSERV.IEEE.ORG>
List-Subscribe: <mailto:STDS-2600-subscribe-request@LISTSERV.IEEE.ORG>
List-Unsubscribe: <mailto:STDS-2600-unsubscribe-request@LISTSERV.IEEE.ORG>
Reply-To: UEDA Shigeru <ueda.shigeru@xxxxxxxxxxx>

Hi

Can I have your opinion regarding ALC_FLR? ( because I have no idea how
to solve my problem )

As you know, ALC_FLR is the "Flaw remediation" which  requires that
discovered security flaws be tracked and corrected by the developer.

However, once corrected, the TOE becomes to be different from the TOE
which was certified. this is my understanding.

So you will need to get certified again with the corrected TOE before
providing it to the customer.

However, ALC_FLR does not require this process.

Is that mean that we leave the risk that vendor provides un-certified
software when he corrected the security bug?

Or, do you (or NIAP) think that corrected TOE is still the certified one ?

Or should we ask vendor to get certified again with the corrected TOE before
providing it to the customer? 

Regards.

Shigeru Ueda.

Follow-Ups:
- Re: [2600] Question related to ALC_FLR
  - From: Milford, Simon
- Re: [2600] Question related to ALC_FLR
  - From: Nancy Chen

Prev by Date: Re: [2600] P2600.3-30a (FoPP-C) posted
Next by Date: Re: [2600] P2600.3-30a (FoPP-C) posted
Prev by thread: [2600] P2600.4-30a (PP-D) posted
Next by thread: Re: [2600] Question related to ALC_FLR
Index(es):
- Date
- Thread