![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0099: FIA_UID.2, FIA_UAU.2, and FPT_STM.1 Requirements: On the IT Environment?
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2003-11-25 |
| Last Modified | 2006-08-02 |
Issue
Part 2 of the CC contains several instances (e.g. FIA_UID.2, FIA_UAU.2, and FPT_STM.1) where the wording of the requirement appears to imply a requirement upon the IT environment, rather than upon the TOE. For example, FIA_UID.2 requires that "The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user." However, this wording does not explicitly mandate that the TSF itself is performing this authentication.
Are instances of such wording to be understood to be requirements on the IT environment, or upon the TOE itself?
Resolution
Although the wording in the FIA_UAU.2, FIA_UID.2, and FPT_STM requirements does not explicitly state that the requirements must be met by the TSF, that is clearly the intent of the requirements. Both historically (under the TCSEC, ITSEC, and other international standards) and under the Common Criteria, that is how the requirements have been levied within CCEVS and internationally. The intent of the UAU and UID requirements was to have the user(s) identify themselves to the TOE and require the TSF to perform the authentication. Similarly the reliable time stamps must be generated by the TSF. These requirements are the de facto standard for requiring the TOE to provide the identification, authentication, and reliable time stamp mechanisms.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- CC v2.1 Part 2, FIA_UAU.1
- CC v2.1 Part 2, FIA_UID.2
- CC v2.1 Part 2, FPT_STM.1
Related NIs:
- I-0375: Elements Requiring Authentication Mechanism
Related CCIMB-INTERPs:
- None
Source OD: 0220