Brian –
I’ll add these to the list of post-meeting
comment resolutions and put them in the “Errata” section of the PP Guide.
From: Brian Smithson [mailto:brian.smithson@xxxxxxxxxxxxx]
Sent: Thursday, July 30, 2009 5:33
PM
To: STDS-2600@xxxxxxxxxxxxxxxxx
Subject: [2600] additional
comments for the PP Guide
OK, maybe these won't make it into the next draft --
sorry, I should have sent these a few days ago. They are errata resulting from
our response to the recent Observation Report from NIAP:
- App Note 114 is incorrectly worded. An earlier
draft of FPT_FDI_EXP.1 included a requirement to specify an authorized
role, and App Note 114 referred to that requirement. When we removed that
requirement (deferring to dependencies on FMT_SMR.1 and FMT_SMF.1), the
app note should have been reworded so that it referred to the dependencies
and not to FPT_FDI_EXP.1 itself.
- FMT_MTD.1 should have been iterated as a
component. Instead, the elements within FMT_MTD.1 were iterated within
FMT_MTD.1. ST Authors may correctly iterate the components, but in any
case, evaluators should be aware that the intention was to iterate the
component and should allow conforming STs to either correct or repeat this
structural iteration error.
- There is a minor error in the typographical
notation of FDP_ACF.1(b). Where it says "based on the following: users and [assignment: list of TOE functions and the security attribute(s) used to
determine the TOE Function Access Control SFP]",
the intention is that "users and" is a refinement that is
separate from the assignment that follows. The correct notation is
"based on the following: users and
[assignment: list of TOE functions and the security attribute(s) used to
determine the TOE Function Access Control SFP]".
--
Regards,
Brian Smithson
PM, Security Research
PMP, CSM, CISSP, CISA, ISO 27000 PA
Advanced Imaging and Network Technologies
Ricoh Americas Corporation
(408)346-4435