![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0119: Applicability of FIA_UAU.7 Application Note in CAPP v1.d
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2005-07-19 |
| Last Modified | 2006-08-02 |
Issue
The Controlled Access Protection Profile (v1.d) has an application note under the FIA_UAU.7 requirement that says, "Some forms of input, such as card input based batch jobs, may contain human readable user passwords. The Administrator and User Guidance documentation for the product must explain the risks in placing passwords on such input and must suggest procedures to mitigate that risk."
Would this apply to a TOE providing a facility that stores the user password on the remote system in plaintext and that initiates commands on a remote system via a batch job?
Resolution
The Application Note in question applies to all kinds of batch jobs, not merely card-input based batch jobs.
This issue should be documented in both the ETR and the VR.
Support
The problem identified for card-input based batch jobs will exist for any form of batch jobs, especially those designed to run under a different user identity than the submitter. Without the user being present to supply the authentication, the authentication will need to be stored in some decodable form. Hence, it is reasonable to extend this application note to other forms of batch input, under the proviso that appropriate guidance be given to the user and administrator, and that there be a suitable warning in the ETR and Validation Report.
Modification History:
- 2005-07-19
- PD Created. ODRB June 2005 Meeting, Agenda Item 3.a.i.
- 2005-08-23
- Fixed typo in the effective date.
References:
- CAPP v1.d
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0243