[cPP PUBLIC REVIEW] [atsec13] Application Note consistence and usage of "should"

[jvdsn]

Application Note 27 lists several details the ST "should" include, for example, the policies allowed and how the TOE evaluates them; location of these policies and how the TOE protect their integrity, etc. However, the EAs in section 2.3.3.3.1 only requires the TSS to describe each of the options for reauthorization.

This issue is twofold:

1) There are a lot of instances in the cPP where we say "the ST [author] should" do something. According to the CC, "should" is optional if a rationale is provided. Are we sure that every one of those instances is actually optional? For example: "TSFs that employ other algorithms or modes that require OTVs should include FCS_OTV_EXT.1."

2) If the cPP says "the ST [author] should" or "the ST [author] must" do something, does it need to be added to the TSS evaluation activities for that SFR? I would think so, in general.

[woodbe]

Take out the last 3 sentences in the paragraph for point 1.

[woodbe]

The scope of the change will determine whether this is accepted now or later. This review cycle is for editorial changes, so there is a limit to what we can accept at this point.

Consistency of the language for point 2 (especially on the "must" text) would definitely be editorial. Changes to the SD based on that are more questionable, but if it is adding a "check this" for maybe 5-6 SFRs, it should be fine, but more than that and the number of changes is a little too much.

@jvdsn please create a new Issue for the "should" issue, tag this one as reference and give it a v3 target.