search

ND-iTC / Documents

ND iTC Document repository (NDcPP, ND SD, and all related files)
MIT License
5 stars 1 forks source link

FCS_IPSEC_EXT.1.12 - Clarification requested #216

Closed Kirky-J closed 1 year ago

Kirky-J commented 1 year ago

Section 4.2.4.3 para 478

FCS_IPSEC_EXT.1.12. “The evaluator simply follows the guidance to configure the TOE to perform the following tests.” Please clarify what is meant by “simply follows the guidance”.

FCS_IPSEC_EXT.1.12 Test 2. The AA suggests that the use of guidance is acceptable while the SFR element states “by default”, typically understood as not requiring configuration. Please reconcile. 

kr15tyk commented 1 year ago

As an FYI, the topic has been discussed by the NIT in RFI 202229, https://ccusersforum.onlyoffice.com/Products/Files/DocEditor.aspx?fileid=8016042&action=view.

dundiddat commented 1 year ago

Recommendations...

In PP: Add to glossary, "by default" = "When configured in accordance with AGD_PRE, and AGD_OPE."

In SD: Reword AA to, "The evaluator follows the guidance (completing AGD_PRE.1 and adhering to AGD_OPE.1) to configure the TOE to perform the following tests."

KSinitski commented 1 year ago

Recommendations...

In PP: Add to glossary, "by default" = "When configured in accordance with AGD_PRE, and AGD_OPE."

In SD: Reword AA to, "The evaluator follows the guidance (completing AGD_PRE.1 and adhering to AGD_OPE.1) to configure the TOE to perform the following tests."

Objection. “By default” means that no extra configuration is required, it is distinct from “in the evaluated configuration” that otherwise would have been used.

kenji-lightship commented 1 year ago

If my memory serves, there was extensive discussion about "by default" related to firewall rules. I thought the conclusion was consistent with the recommendation proposed by @dundiddat

KSinitski commented 1 year ago

a. I recommend removing "simply" in the SD. It confuses otherwise clear "The evaluator follows guidance...".

b. I recommend removing "by default" from the SFR instead of defining it in a way that conflicts with how 'by default' is typically understood.

FCS_IPSEC_EXT.1.12 The TSF shall be able to ensure that the strength of the symmetric algorithm...

kr15tyk commented 1 year ago

I agree with @KSinitski recommendation to remove 'simply' and 'by default'.

kenji-lightship commented 1 year ago

I agree with the proposed changes as well.