SHARP
Comments on P2600.1-27c.pdf
0
1
(2)
3
No
Clause No./
Subclause
No./
Annex
(e.g. 3.1)
Paragraph/
Figure/Table/
Note
(e.g. Table 1)
Type of
comment
1
-
-
Clarification
*1
2007/5/28
4
(5)
Comment (justification for change)
Proposed change
A proposal of how to divide PP based on how PP is used.
-
PP is used in 2 cases:
1) A vendor uses to state that an HCD conforms to P2600-PP.
2) A customer uses as a condition to procure devices.
So we should make each PP as it only has one function.
In the current proposal, for example, PRT handles Document data, Job
log data, User identification data, User authentication data and Audit
logs. We are forcing vendors and users to have all this functions
without the option to select them.
2
7.2.2
Table5
technical
Threat is not properly defined regarding T.DOC.OUTPUT.DIS.
In work unit APE_SPD.1-2, it is required that “all threats shall be
described in terms of a threat agent, an asset, and an adverse action
(CC Part3, Page 59).” However, the description of
T.DOC.OUTPUT.DIS cannot make us assume any adverse actions (we
cannot read how the threat agent breaches the asset).
In addition, the phrase “sent to the hardcopy output handler” means
the asset “during transfer” not “stored”. This means that the threat
agent invalidly read data by tapping signal line of the hardware circuit.
However, the attacker assumed in EAL3 has only “basic abilities to
attack” and does not have such ability. That is, there exist no threats.
If an attacker having “basic abilities to attack” has an ability to tap a
signal line of hardware circuit, we need to protect or encrypt the
hardware circuit, and then send the data to the hardcopy output
handler.
 proposal 1)
The description below is a deeper consideration regarding
*1 Type of comment: ge = general
NOTE: Columns 1, 3, 4 are compulsory.
te = technical
1) For example, define an asset as “the
data before sent to the hardcopy
output handler.” In addition,
regarding adverse action, define
“basic abilities to attack” of level of
attack that the attacker has, and
describe “(for example) by using the
device other than HCD.”or define the
threat as “Retrieving another’s
User Document Data in paper form
from the Output Document Handler
“
2) Exclude T.DOC.OUTPUT.DIS
3) If an attacker having “basic abilities
to attack” has an ability to tap a
signal line of hardware circuit, we
shall protect the hardware circuit
physically, or encrypt the data and
store them to the volatile storage.
ed = editorial
page 1 of 4
SHARP
Comments on P2600.1-27c.pdf
0
1
(2)
3
No
Clause No./
Subclause
No./
Annex
(e.g. 3.1)
Paragraph/
Figure/Table/
Note
(e.g. Table 1)
Type of
comment
*1
2007/5/28
4
(5)
Comment (justification for change)
Proposed change
T.DOC.OUTPUT.DIS.
The PRT description in this PP does not assume non-volatile storage.
It is volatile storage that stores D.DOC.OUTPUT. As we mentioned
above, the attacker assumed in EAL3 has only “basic abilities to
attack” so the attacker does not have an ability to “retrieve asset
from volatile storage.” Therefore there exist no threats. Even if the
attacker that has “basic abilities to attack” has an ability to retrieve
asset from volatile storage, we need to protect the volatile storage
physically or encrypt the data store them to the volatile storage.
4) Include non volatile storage (NVS)
PP requirements in PRT,SCN and
FAX.
proposal 2), 3)
This does not say for only PRT, but document data during processed
(excludes document filing) shall be treated as the same. The only
cases that D.DOC.* is effective in the PPs are DSR and NVS.
3
7.2.3
Table7
general
P.USER.AUTHORIZATION、P.ADMIN.AUTHORIZATION、
P.AUDIT.LOGGED
1) Derive security functions not from
OSPs but from threats (assets).
OSP indicates security policies in a specified organization. OSP
should not be specified in PP that is objected as standard.
(Paragraph 49 of ISO/IEC TR 15446)
During an iterative process of PP or ST development new information
might surface, within the scope of the current security concerns, that
may lead changes to the document that reflect changes in external
circumstances, for example:
a) new threats may be identified;
b) organisational security policies may change;
c) cost and time constraints may impose changes in division of
responsibility between what the TOE is expected to do, and what is
expected of the TOE environment;
d) changes in intended attack potential may impact on the TOE
*1 Type of comment: ge = general
NOTE: Columns 1, 3, 4 are compulsory.
te = technical
ed = editorial
page 2 of 4
SHARP
Comments on P2600.1-27c.pdf
0
1
(2)
3
No
Clause No./
Subclause
No./
Annex
(e.g. 3.1)
Paragraph/
Figure/Table/
Note
(e.g. Table 1)
Type of
comment
*1
2007/5/28
4
(5)
Comment (justification for change)
Proposed change
security environment.
4
7.2.3
Table7
general
P.ADMIN.AUTHORIZATION
(CC Part1, Paragraph 28) To represent requirements requiring
separation of administrator’s task, relating (to family FMT_SMR) CC
Part 2 security functional components stated that the role of
administrator is necessary. This indicates that a person that has
administrator role is required if TOE has any administration functions.
Therefore P.ADMIN.AUTHORIZATION is not always necessary.
5
8.2.1
Table13
technical
6
9.2.1,
9.2.2
Table22,
Table2
general
1) Derive objective policies from
T.PROT.STORED.ALT,
T.CONF.STORED.DIS, or
T.CONF.STORED.ALT.
D.DOC.INPUT is defined but no threats are specified. If there are no
threats D.DOC.INPUT is not necessary to protect.
1) D.DOC.INPUT should be deleted if
there are no threats.
Treatment of T.DOC.OUTPUT.DIS in CPY
1) Add T.DOC.OUTPUT.DIS to CPY.
As mentioned in
http://grouper.ieee.org/groups/2600/email/msg00816.html, 1) adding
TOE name in the last part of the threat, and 2) eliminating
T.DOC.OUTPUT.DIS in CPY where it is to be ignored.
2) Or eliminate T.DOC.OUTPUT.DIS
from PRT and FAX.
Regarding 1): No matter TOE name is appended or not,
D.DOC.OUTPUT exists in CPY.
Regarding 2): If you eliminate T.DOC.OUTPUT.DIS from CPY, you
should also eliminate it from PRT and FAX because the line of thought
against each PP is not inconsistent.
7
10.2.2
Table35
technical
Although D.PROT.STORED and D.CONF.STORED are defined, no
threats are defined. If no threats are defined, it is not necessary to
protect them.
1) Eliminate D.PROT.STORED and
D.CONF.STORED if there are no
threats.
8
13.2.1,
13.2.2
Table62,
Table64
technical
The threat T.DOC.COMMS.DIS is against the assets D.DOC.RECV and
D.DOC.SENT, so it is not appropriate for HCD that only has
D.DOC.SENT function (the HCD must have D.DOC.RECV function).
1) Divide T.*.COMMS.* into threats
against D.*.RECV and those against
D.*.SENT.
*1 Type of comment: ge = general
NOTE: Columns 1, 3, 4 are compulsory.
te = technical
ed = editorial
page 3 of 4
SHARP
Comments on P2600.1-27c.pdf
0
1
(2)
3
No
Clause No./
Subclause
No./
Annex
(e.g. 3.1)
Paragraph/
Figure/Table/
Note
(e.g. Table 1)
Type of
comment
*1
2007/5/28
4
(5)
Comment (justification for change)
Proposed change
Let us assume a USB scanner. We can say it is represented by
SCN+SMI.
In SMI, T.DOC.COMMS.DIS is indicated as described in Table 64. This
threat is against D.DOC.RECV and D.DOC.SENT. So, the USB scanner
must have the asset D.DOC.RECV.
To avoid this, T.DOC.COMMS.DIS must be divided into the threats
against D.DOC.SENT and those against D.DOC.RECV.
In the same way, T.*.COMMS.* is against D.DOC.RECV and
D.DOC.SENT. So, it must be divided into the threats against
D.DOC.RECV and those against D.DOC.SENT.
*1 Type of comment: ge = general
NOTE: Columns 1, 3, 4 are compulsory.
te = technical
ed = editorial
page 4 of 4