I-0051: Meaning Of ``On Behalf Of'' In TNI M- And I- Components

NUMBER:               I-0051
STATUS:               Ready to Prepare for Management/CCIMB

TITLE:                Meaning Of ``On Behalf Of'' In TNI M- And I- Components

FIRST POST:            [criteria 2346]
MOST RECENT REPOST:    [criteria 2379]

REQUIREMENT:          Trusted Network Interpretation
CRITERIA CLASSES:     B1, B2, B3, A1
DOCUMENT(S):          <None>
RELATED TO:           <None>

STATEMENT:

The following interprets the TNI Appendix A Network Component rules in their interaction with:

The Mandatory Access Control requirement that ``Identification and authentication data shall be used by the TCB to authenticate the user's identity and to ensure that the security level and authorization of subjects external to the TCB that may be created to act on behalf of the individual user are dominated by the clearance and authorization of that user.''
The Identification and Authentication requirement that ``This data shall be used by the TCB to authenticate the user's identity and to ensure that the sensitivity level and authorization of subjects external to the TCB that may be created to act on behalf of the individual user are dominated by the clearance and authorization of that user.''

The ability to restrict creation of subjects based on the clearance of the creating user is required to be implemented only if a component includes both "M" and "I" elements. However, such a component shall not preclude the restriction of creation of subjects based on the clearance of the creating user when the component is part of a network system that supports both "M" and "I" elements.

PROJECTED IMPACT:

Negligible impact anticipated.

SUPPORT:

Appendix A of the Trusted Network Interpretation of the TCSEC defines the criteria for evaluation of network components meeting the following parts of the TCSEC functional requirements:

(M)andatory Access Control
(D)iscretionary Access Control
(I)dentification and Authentication
(A)udit

Components may address the requirements in only one of these areas (such as an "M" component), or address the requirements in multiple areas (such as an "MIA" component). Problem occur when TCSEC requirements that were not designed for the "component" approach are divided into components.

One such requirement is the Mandatory Access Control requirement, which provides one of the key requirement areas for an "M" component. This requirement includes the statement:

Identification and authentication data shall be used by the TCB to authenticate the user's identity and to ensure that the sensitivity level and authorization of subjects external to the TCB that may be created to act on behalf of the individual user are dominated by the clearance and authorization of that user.

The problem is that, in an "M"-only component, there may not be a concept of "users", nor might there be any identification and authentication data. This means that either "M"-components have internally contradictory requirements, or there are sentences in the MAC requirements that apply only in the presence of an "I" component. There is a similar problem in the Identification and Authentication requirement, where a similar sentence refers to sensitivity labels, creating problems for "I"-only components.

Clearly, "M"-only and "I"-only components have utility, and appear to be permitted by the TNI. This leads to the conclusion that the sentences that refer to using Identification and Authentication data to verify clearances and subject MAC attributes apply only in the context where both "M" and "I" functional elements are present.

For this interpretation, it is irrelevant whether a component has "A" or "D" elements.