Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [2600] proposed new text for PP guide discussion of FMT_MSA.3

Jerry Thrasher had the same suggestion. I’m working on the wording for it that I’ll send out for review next week.

Alan

From: Don Wright [mailto:don@xxxxxxxxxxx]
Sent: Friday, August 07, 2009 9:05 AM
To: STDS-2600@xxxxxxxxxxxxxxxxx
Subject: Re: [2600] proposed new text for PP guide discussion of FMT_MSA.3

 


Would it hurt to provide a concrete example?  For instance, it is common that a normal user is allowed to change his own password.  Wouldn't that be a clearly understandable delegation to U.NORMAL by U.ADMINISTRATOR?



______________________________________

LEXMARK
Don Wright, Director of Standards
C14/082-3, 740 New Circle Rd, Lexington Ky 40550
Office: +1 859 825-4808     Fax: +1 603 963-8352
don@xxxxxxxxxxx  |  f.wright@xxxxxxxx

Director, ANSI & IEEE-ISTO
Chair, INCITS Executive Board
Member, IEEE SA Board of Governors
Treasurer, IEEE Standards Association  
Member: ANSI IPC, AIC, IPRPC | ECMA General Assembly
 

 

Brian Smithson <brian.smithson@xxxxxxxxxxxxx>

08/06/2009 06:53 PM
Please respond to Brian Smithson

       
        To:        STDS-2600@xxxxxxxxxxxxxxxxx
        cc:        
        Subject:        [2600] proposed new text for PP guide discussion of FMT_MSA.3





During the most recent P2600 meeting, we left an action item open to
gather more input from Canon and consider other changes to clause 6.6,
page 54, lines 33-44. Canon has supplied more information. I propose
that we replace lines 33-44 with the following text:

   "FMT_MSA.3.2(a) allows an authorized role to alter the default
   attribute values when an object or information is created.
   Typically, either U.ADMINISTRATOR or Nobody will be allowed to alter
   default attribute values. It is possible in some implementations
   that a U.NORMAL will be allowed to alter default attribute values
   associated with some of their own data, and such allowance should be
   specified carefully so that access control is not compromised."

Keeping in mind that FMT_MSA.3.2 deals with permission to alter the
/default/ attribute values, I think that the most typical cases will be
that either U.ADMINISTRATOR is allowed or Nobody is allowed. Therefore,
I don't think we should spend much time on an unusual case in which a
normal user is allowed to change defaults on some attributes.

--
Regards,
Brian Smithson
PM, Security Research
PMP, CSM, CISSP, CISA, ISO 27000 PA
Advanced Imaging and Network Technologies
Ricoh Americas Corporation
(408)346-4435