TD0814: Correction to Mixed content in TSS AAs
Publication Date
2024.02.13
Protection Profiles
PP_BASE_VIRTUALIZATION_V1.1
Other References
FCS_IPSEC_EXT.1.3, FIA_UIA_EXT.1, FIA_X509_EXT.2.2, FPT_ML_EXT.1
Issue Description
The Protection Profile for Virtualization Version 1.1 (PP_BASE_VIRTUALIZATION_V1.1.pdf) includes Evaluation Activities classified by TSS, Guidance and Test. There are several TSS evaluation activities where both TSS and guidance EAs are included; in some cases there is no Guidance section for that SFR. Resolution
The TSS EA for FCS_IPSEC_EXT.1.3 in PP_BASE_VIRTUALIZATION_V1.1 is modified as follows, with red highlighted strikethrough denoting deletion and green highlighted underline denoting addition:
TSS If both transport mode and tunnel mode are implemented, the evaluator shall review the
operational guidance to determine how the use of a given mode is specified. The evaluator shall examine the TSS to verify that the TSS provides a description of how a packet is processed against the SPD and that if no “rules” are found to match, that a final rule exists, either implicitly or explicitly, that causes the network packet to be discarded.
The TSS and Guidance EAs for FIA_UIA_EXT.1 is modified as follows, with red highlighted strikethrough denoting deletion and green highlighted underline denoting addition:
TSS The evaluator shall examine the TSS to determine that it describes the logon process for each logon method (local, remote (HTTPS, SSH, etc.)) supported for the product. This description shall contain information pertaining to the credentials allowed/used, any protocol transactions that take place, and what constitutes a “successful logon.” The evaluator shall examine the operational guidance to determine that any necessary preparatory steps (e.g., establishing credential material such as pre-shared keys, tunnels, certificates) to logging in are described. For each supported login method, the evaluator shall ensure the operational guidance provides clear instructions for successfully logging on. If configuration is necessary to ensure the services provided before login are limited, the evaluator shall determine that the operational guidance provides sufficient instruction on limiting the allowed services.
Guidance The evaluator shall examine the operational guidance to determine that any necessary preparatory steps (e.g., establishing credential material such as pre-shared keys, tunnels, certificates) to logging in are described. For each supported login method, the evaluator shall ensure the operational guidance provides clear instructions for successfully logging on. If configuration is necessary to ensure the services provided before login are limited, the evaluator shall determine that the operational guidance provides sufficient instruction on limiting the allowed services.
The Guidance EA for FIA_X509_EXT.2 is added as follows, with green highlighted underline denoting addition:
Guidance The evaluator shall ensure that the guidance documentation describes the configuration required in the operating environment so the TOE can use the certificates. The guidance documentation shall also include any required configuration on the TOE to use the certificates. The guidance documentation shall also describe the steps for the Security Administrator to follow if the connection cannot be established during the validity check of a certificate used in establishing a trusted channel.
The TSS and Guidance EAs for FPT_ML_EXT.1 are modified as follows, with red highlighted strikethrough denoting deletion and green highlighted underline denoting addition:
TSS The evaluator shall verify that the TSS or Operational Guidance describes how integrity measurements are performed and made available to the Management Subsystem. The evaluator shall examine the operational guidance to verify that it documents how to access the measurements in the Management Subsystem.
Guidance The evaluator shall examine the operational guidance to verify that it documents how to access the measurements in the Management Subsystem.
Justification
See issue description. |