Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Re: [2600] question on FMT_MSA.1 and FMT_MSA.3

To: STDS-2600@xxxxxxxxxxxxxxxxx
Subject: Re: [2600] question on FMT_MSA.1 and FMT_MSA.3
From: Tom Benkart <tom.benkart@xxxxxxxxxxxxxxxxx>
Date: Thu, 13 Nov 2008 11:12:43 -0500
Delivered-to: mhonarc@xxxxxxxxxxxxxxxx
In-reply-to: <9A6213D6CEDE5147A5FA6559410C363D037E5053@xxxxxxxxxxxxx>
List-help: <http://listserv.ieee.org/cgi-bin/wa?LIST=STDS-2600>, <mailto:LISTSERV@LISTSERV.IEEE.ORG?body=INFO%20STDS-2600>
List-owner: <mailto:STDS-2600-request@LISTSERV.IEEE.ORG>
List-subscribe: <mailto:STDS-2600-subscribe-request@LISTSERV.IEEE.ORG>
List-unsubscribe: <mailto:STDS-2600-unsubscribe-request@LISTSERV.IEEE.ORG>
References: <A<OF7E2DFAB6.A2B34595-ON852574F8.0070DF39-852574F8.00717770@xxxxxxxxxxx> <9A6213D6CEDE5147A5FA6559410C363D037E5053@xxxxxxxxxxxxx>
Reply-to: Tom Benkart <tom.benkart@xxxxxxxxxxxxxxxxx>

The problem is that the SFRs are poorly worded. They should say something like "The TSF shall support the [assignment: SFPs] by restricting the ability to ...". For some reason the wording has never been changed in CC Part 2.

The SFRs in the PP are stated according to the accepted usage of FMT_MSA.1 so they should be Ok.

Tom

At 07:43 PM 11/12/2008, Lida Wang wrote:

Hi all,

I think there are some problems with FMT_MSA.1 and FMT_MSA.3. If I have made a mistake, please clarify me.

Based on FMT_MSA.1.1(a) the TSF shall enforce the Common Access Control SFP, [assignment: access control SFP(s), information flow control SFP(s)] to restrict the ability to [selection: change_default, query, modify, delete, [assignment: other operations]] the security attributes [assignment: list of security attributes] to [assignment: the authorized identified roles].

Here I think the security attributes is TSF data. However Common Access Control SFP is used to protect user data. The object of Common Access Control SFP is user document data and user functional data. Therefore I think we should not use Common Access Control SFP here.

There are the same problem with FMT_MSA.1.1(b), FMT_MSA.1.3(a), and FMT_MSA.1.3(b).

Thanks,

Lida,

Principle engineer,

Kyocera technology development

Tom Benkart
Common Criteria Consulting LLC
work: 301-570-9308
cell: 240-401-1173
tom.benkart@xxxxxxxxxxxxxxxxx
http://www.consulting-cc.com

References:
- [2600] Question/issue with network print job owners and identifiaction and authorization. (P2600.1)
  - From: Jerry Thrasher
- [2600] question on FMT_MSA.1 and FMT_MSA.3
  - From: Lida Wang

Prev by Date: [2600] action item 480 - referring to ownership of documents in rules about function data
Next by Date: Re: [2600] question on FMT_MSA.1 and FMT_MSA.3
Previous by thread: Re: [2600] question on FMT_MSA.1 and FMT_MSA.3
Next by thread: [2600] action item 480 - referring to ownership of documents in rules about function data
Index(es):
- Date
- Thread