![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0072: Empty Assignment Operation
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-10-23 |
| Last Modified | 2006-08-02 |
Issue
According to I-0407, assignment operations cannot be completed with a "null" value. An ST is claiming compliance with a PP that was evaluated before this interpretation was formalized, and which includes a requirement that seems as though it should allow a null assignment. How should this assignment be handled:
-
As the PP was evaluated before the interpretation was published, it sshould not be considered subject to the interpretation?
-
Should the assignment be filled in redundantly to effective nullify it?
-
Should the NIB interpret the PP to allow a null assignment?
-
Should the ST writer identify another attribute to include in the requirement?
Resolution
This OR highlights a general concern of the impact of national or international interpretations on compliance claims against already evaluated PPs. Specifically, given a TOE targeting compliance to a given PP, if an interpretation is finalized after the PP has been finalized, should the interpretation be applied in all TOEs seeking compliance to the PP from that point forward, even though it may change the original intent of the PP authors? The title of this observation report has been changed to reflect this concern.
Scheme Publication #3 ("Guidance to Validators of IT Security Evaluations") states:
"All final NIAP and international common criteria interpretations existing as of the date of acceptance of the evaluation into the Scheme are mandatory for that evaluation."
Furthermore, it is scheme policy that, if an interpretation becomes final during the course of an evaluation, the sponsor is given a choice of whether to apply the new interpretation or continue with the old one.
This policy does not offer such flexibility to a PP author. Currently, PP authors craft security requirements with a certain expectation on what compliancy to those requirements will mean. Given the current policy, if interpretations are subsequently finalized that adversely affect the meaning of PP compliance, PP authors have no recourse to respond or even be notified of this change. This is an undesirable situation. It is appropriate to attempt to inform the PP author of the interpretation and allow the PP author to determine whether the interpretation is appropriate for that particular PP.
Therefore the resolution to the general question is as follows:
By default, all final interpretations existing as of the date of acceptance of the evaluation into the Scheme are mandatory for the evaluation. However if:
the TOE is seeking compliance to a protection profile, and
there is an interpretation that has been finalized since the evaluation of the PP, and
the interpretation presents a potential conflict to the intent of the PP,
the PP author will be notified of the interpretation under question. This notification will be triggered by an OR filed in the context of an ST/TOE evaluation. If a PP modification is required as a result of the OR, a PP specific interpretation will be generated make this fact known to users of the PP. If the PP author rejects the interpretation, a PP specific interpretation for the PP will be created by the scheme to clarify the author's original intent.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- CEM Part 2 Version 1.0 ASE_REQ.1-12
Related NIs:
- I-0407: Empty Selections Or Assignments
Related CCIMB-INTERPs:
- None
Source OD: 0199