![[Public Interpretations Database]](/assets/images/public-interps.jpg){kind=small}
I-0076: At B2, Trusted Path Functions May Be Duplicated Outside Trusted Path
NUMBER: I-0076
STATUS: Ready to Prepare for Management/CCIMB
TITLE: At B2, Trusted Path Functions May Be Duplicated Outside
Trusted Path
FIRST POST: [criteria 2350]
REQUIREMENT: Trusted Path
CRITERIA CLASSES: B2
DOCUMENT(S): <None>
RELATED TO:
I-0103 Trusted path not required for DAC changes
I-0302 Trusted Path Required For All Authentication
STATEMENT:
The following provides technical guidance regarding the requirement that ``The TCB shall support a trusted communication path between itself and user for initial login and authentication.''It is acceptable for a human interface to a security-relevant function to be available through TCB interfaces outside the trusted path in addition to interfaces provided through trusted path.
PROJECTED IMPACT:
Negligible impact anticipated.SUPPORT:
This interpretation addresses the question of whether interfaces provided through trusted path menus may also be available through untrusted interfaces (such as an untrusted shell).TCSEC class B2 does not require significant system engineering towards reducing the complexity of the TCB. Nor does TCSEC class B2 call out any specific requirements for what must be available from a trusted path menu, only that trusted path be used for initial login and authentication. There appears to be no requirement that functions provided through the trusted path cannot be available through other interfaces.
Note that providing multiple interfaces for the same function can confuse an end-user, and provide an avenue of attack for Trojan Horse programs. Thus, although not required, it is recommended that functions provided through the trusted path be available only through the trusted path. This provides the user with the assurance that the correct program is being invoked. It is permissible for the TFM to direct the administrator to use only the interface provided through the trusted path.