search

commoncriteria / transforms

Repository for various transforms that are common across CC projects.
The Unlicense
1 stars 2 forks source link

general tag support for FP selections #112

Open jfisherbah opened 1 month ago

jfisherbah commented 1 month ago

PPs currently have the ability to 'see' selection ids made in external documents (modules, packages) through the use of the tag. However, this tag only works in certain situations. For example, the construction can be used to cite individual selection IDs in external documents.

However, there are other situations where it is necessary for the PP to be able to 'see' an external document reference. Specifically:

  1. an app note or an evaluation activity may reference a given SFR selection, test, or other reference-able item in the SFR (e.g. "If 'administrator-configurable' is selected in FP SFR FIA_XYZ, management function 30 must be claimed"). example 1: A PP may have a selection for a management function that is only chosen if a selection in an FP SFR is made. In this case, the application note needs to have the ability to support an external reference to a selection in the FP. example 2: A PP may have a specific test EA that references a test EA in an FP SFR (e.g. "The evaluator shall repeat Test X in FP SFR FIA_XYZ but then also do blah blah"). The ability for a cross-reference to exist would aid in accuracy.

  2. a selection-based SFR may depend on a selection made in an external document example: A PP has a selection-based SFR where the TSF is required to block installation of code in the event of an invalid code signing certificate. This SFR is only claimed if FIA_X509_EXT.2 (in the X.509 FP) specifies code signing as a use for X.509. In this case, the tag under the SFR would need to be able to support an external reference to the selection in the X.509 FP.

In situation 1 above, literal text references can be used as a stopgap. In situation 2, there is no way to do it except programmatically so the SFRs appear in the correct section but the box saying what triggers its inclusion is blank.

robertmclemons commented 1 month ago

Situation 2 should already be implemented.

     <depends on="sel-aes-cbc-128">
        <external-doc ref="pkg-tls"/>
     </depends>

Keep in mind that PPs can see into FPs, but FPs should not reference the internals of PPs. And Modules can see into PPs, but PPs should not reference the internals of Modules.