![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0115: Third Party Authentication is permitted by the ALFWPP-MR
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2004-11-22 |
| Last Modified | 2006-08-02 |
Issue
There is an error in the ALFWPP-MR, dated June 2000, in that the PP does not permit authentication to be performed by any device/component other than the TOE itself.
Currently, the TOE objective, O.IDAUTH, in the PP states, "The TOE must uniquely identify and authenticate the claimed identity of all users before granting a user access to TOE functions or, for certain specified services, to a connected network." By being an objective for the TOE, this objective does not provide to developers the flexibility to use other authentication components, such as RAS, TACACS+, RADIUS, to assist in authenticating users and services, as is typically done in today's firewall environments.
Resolution
This PD effects a change that will relocate the identification and authentication objectives in the PP to the environment.
Developers and evaluators should proceed as if the TOE objective, O.IDAUTH, has been moved and made a security objective for the IT environment (with appropriate renaming to reflect the conventions for IT Environment objectives). Its accompanying/mapped SFRs, FIA_UID.2 and FIA_UAU.5, should also be considered as security requirements for the IT environment.
Additionally, the U.S. Government Firewall Protection Profile for Medium Robustness Environments, dated October 28, 2003, has replaced the ALFWPP-MR. Many, if not all, of the I&A issues have been remedied in the replacement PP. Lastly, although ALFWPP-MR is still active and is available/approved for use, it will be retired on 30 April 2005.
Support
This makes the flawed PP consistent with its successor.
Modification History:
- 2004-11-22
- PD created. (October 2004 ODRB Agenda Item 4.d.ii)
References:
- CC v2.1 August 1999
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0157