dundiddat
commented
2 years ago That proposed change seems fine. The refinement in FTP_ITC.1.2 in NDcPPv2.2e seems entirely unnecessary, so it seems easy and appropriate to remove the refinement "the TSF or the authorized IT entities" and instead directly copy the selection from CC Part 2 "[selection: the TSF, another trusted IT product]".
Note, if the change will include replacing "authorized IT entities" with "trusted IT product" then for consistency there are corresponding wording changes to be made in FTP_ITC.1.1 and application note 39 to replace "authorized IT entities" (plural) and "authorized IT entity" (singular) with "trusted IT product".
BTW, the wording issue seems to be isolated to this SFR. NDcPPv2.2e only contains five occurrences of "authorized IT entity" (or "entities"), all of which are in FTP_ITC.1 or its application note.
plughy2
cfesysco
The iTC received a request from NIAP to address ambiguity found in FTP_ITC.1.2 and FTP_ITC.1.3.
In FTP_ITC.1.2, there is no requirement on which party (the TSF or the authorized IT entity) shall initiate the communication. Yet FTP_ITC.1.3 has the ST author list the services via assignment operation that the TSF shall initiate communication. More specifically, there isn't a way to check what the ST author may put in the assignment operation is correct. In other words, if the ST is being evaluated by itself (or in this case being checked via an automated process), how is the contents of the assignment operation in FTP_ITC.1.3 determined to be correct? Does FTP_ITC.1.3 even provide value when FTP_ITC.1.2 states either party can initiate the communication?
It was suggested that the NDcPP follow the format of the FTP_ITC_EXT.1 requirement as defined in the Protection Profile for General-Purpose Computing Platforms.
Addressing the ambiguity will help NIAP in their effort to automate checking of Security Targets that was being led by Bob Clemons.