![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0090: TOE Labels
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2003-04-02 |
| Last Modified | 2006-08-02 |
Issue
CC Requirement ACM_CAP.2.2C states "The TOE shall be labeled with its reference."
CEM work unit 2:ACM_CAP.2-2 states: "The evaluator shall check that the TOE provided for evaluation is labeled with its reference." The unique reference is required to distinguish different versions of the TOE. The guidance suggests an easy method for identifying the unique reference.
CEM work unit 2:ACM_CAP.2-3 states "The evaluator shall check that the TOE references used are consistent." It is understood that the labeling on the ST must match the unique TOE reference. It is understood that the labeling on the guidance documents must match the unique TOE reference. It is understood that the delivered product (via CD or Internet download) must match the unique TOE reference. It is also understood that the installed TOE must match the unique TOE reference.
The issue pertains to consistency of version numbering within the installed and operational TOE. Must the version number be the unique TOE version number in every location a version number is encountered within the TOE product? Can the installation guide and administrator guide instruct the administrator where to view the unique TOE reference and warn the administrator which TOE references to ignore?
For example, can a version number be listed as version "x" on the install shield and on a properties tab while using the software product, when the unique name of the TOE is version number "x Build y"? Can "Help -> About" from a pull down menu describe the TOE as version number "x.a Build y" when the unique reference of the TOE is version number "x Build y"? Can the administrator be instructed to view the version properties on the installed TOE product files to obtain the correct unique TOE reference and warned not to use the others?
Resolution
The TOE (as a whole) must be labeled with a unique reference, and this unique reference must be available to the installer to ensure that the correct version of the TOE is installed. The installer should also have a list of components of the TOE, together with the version numbers of each component, so that if a component provides a version number and an interface to obtain that version number, the number can be checked against the component list.
However, individual components need not have the same unique reference as the TOE; the only requirement is that the CM system provide a way to identify the versions of each component that are considered part of the evaluated TOE. Similarly, there is no requirement that end users be able to obtain the reference of individual components.
The CC does have a requirement that the unique reference be presented consistently. The following conditions should satisfy the CC requirement for consistent version numbering:
- Whenever the TOE is referenced as a whole, the unique reference must be used.
- If the product provides an interactive mechanism for querying version numbers, the response must make it clear whether if refers to the complete TOE (by use of the name of the TOE) or a component thereof. If the response refers to the complete TOE, then the referant (version number) provided must be the unique reference for the TOE.
- Any package delivered for installation, be it electronically or in physical media, must use the unique reference for the TOE.
- If installation dialogues refer to the complete TOE, they must use the unique reference. If they refer to components of the TOE, this must be clear.
- A mapping should be provided to the installer that relates the references for TOE components to the unique reference for the TOE.
- References to the complete TOE in evaluation evidence should use the unique reference. References to components may use the component reference, as long as the mapping of component references to unique reference is provided to the evaluators.
- The TOE unique reference must be used in the ST and the certificate, and any public information that references those documents.
Support
The CC requires (ACM_CAP.1.1C, ACM_CAP.1.2C) that the TOE be labeled with a unique reference. The objectives for ACM_CAP clarify one of the purposes for this reference; namely, that the users of the TOE be aware of which instance of the TOE they are using. The Configuration Management requirements also require (starting at ACM_CAP.2) that a list be maintained of the configuration items that comprise the TOE.
Based on these requirements and objectives, it is clear that what is labeled is the TOE as a whole. Individual components may have their own unique reference (version numbers), but these need not correspond to that of the overall TOE. However, in the configuration management documentation, there should be a list of the components of the TOE (including their version numbers). There are no requirements that each component provide users with the ability to ascertain the version numbers of each component.
It is also clear that the recipient of the TOE must be able to ascertain the unique reference for the TOE delivered, presumably to verify that reference against the certificate. Ideally, the installation package would include a list of the version numbers of the components of the TOE, but as there is no mandated interface to verify these, the only way to ascertain that the evaluated TOE is installed is to reinstall the package.
Note that neither the requirements for Delivery (ADO_DEL) nor the requirements for Installation, Generation, and Startup reference the unique identifier for the TOE. This is a mistake. Part of the delivery and installation procedures should be that the recipient verifies the unique reference for the TOE.
ACM_CAP.2 does include a requirement that the TOE reference be consistent. This means that wherever the TOE is referenced as a whole, the reference should be consistent. There should be a way to map any individual component references to the unique reference for the TOE as a whole.
CCIMB Interpretation #37 does not apply. When the TOE is a subset of a product it must still be uniquely identified. Whether that identification refers to that portion of the product that is the TOE or the whole product does not matter. Note that the identification of the individual files that comprise the TOE need not be verified by the evaluators for the purposes of this requirement though they may need to be for other requirements, e.g. Configuration Management.
Modification History:
- 2004-02-19
- Updated to fix some minor typographical errors. (February 2004 NIB Agenda Item 5.a.vi)
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- CC v2.1 Part 3 Subclause 8.2 ACM_CAP.2.2C
- CEM v1.0 Part 2 ACM_CAP.2-2 to 3 paragraphs 654-658.
Related NIs:
- I-0473: Ability To Obtain The Unique Identifier Of The TOE
Related CCIMB-INTERPs:
- None
Source OD: 0211