[Public Interpretations Database]

PD-0108: FTP_ITC.1.3 Specifies The Functions For Which A Trusted Channel Is Provided

This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.

Effective Date: 2004-07-19
Last Modified 2006-08-02


In CC v2.1/v2.2, the FTP_ITC.1.3 SFR specifies the list of functions for which a trusted channel is required AND for which the TSF shall initiate communication. A problem arises, however, when one must specify the functions for which either the TSF or a Remote Trusted IT Product must use a trusted channel, as FTP_ITC.1.3 only refers to the local TOE, and specifically refers to initiation, not use.

One solution is to modify the text of FTP_ITC.1.3 to indicate the functions for which either the local TSF or remote trusted IT product must use a trusted channel. However, such a change expands the scope of the SFR. How is this issue to be resolved?


It is acceptable to use an explicitly stated SFR that replaces the CC v2.1/v2.2 version of FTP_ITC.1.3 with the following text:

The TSF shall use a trusted channel for the following functions: [assignment: list of functions for which a trusted channel is required].

When this modified version of FTP_ITC.1.3 is used, there should also be an accompanying note that explains that the rationale for this explicit requirement is that it corrects an error identified by CCEVS in the requirement and an interpretation is being created by NIAP to correct the offending wording.

Note: Use of the explicitly specified requirement replacement does not imply a responsibility for the TSF under evaluation to ensure that a remote TSF performs a particular action; rather, the TSF under evaluation is only required to use the channel for the indicated purpose if the channel is initiated. There is no requirement for the evaluator to verify that the remote TSF initiates the channel.


The intents of the three elements of FTP_ITC.1 are, respectively:

  1. There must be a trusted channel.

  2. Either the TSF or the remote trusted IT product may initiate the communication.

  3. The trusted channel must be used for the functions listed in the assignment (for example, password-based authentication functions, replication operations, or remote management of directory service data).

The problem is, given that FTP_ITC.1.2 permits either the TSF or the remote trusted IT product to initiate communications over the channel, FTP_ITC.1.3 is contradictory if "the remote trusted IT product" was assigned in 1.2. That is, FTP_ITC.1.3 seems to be incorrectly stated in requiring the TSF to initiate communications over the channel. It is clear that FTP_ITC.1.3 should read "The trusted channel shall be used for [assignment: list of functions for which a trusted channel is required]". This PD corrects the problem.

It seems that this issue has not arisen previously probably because all STs that have claimed FTP_ITC.1 so far have completed the assignment in the second element with "TSF" thus avoiding the creation of the problem in the third.

Modification History:

Based on a posted comment, made some minor corrections to clarify the statement, and made clearer that the list in item 3 in the support was just an example. (ODRB August 2004 Agenda Item 4.c.ii)


  • CC v2.1 Part 2, with interpretations as of 2002-02-28
  • U. S. Government Firewall Protection Profile (PP) for Medium Robustness Environments, v.1.0, October 28, 2003

Related NIs:

  • None


  • None

Source OD: 0232