[Public Interpretations Database]

I-0364: Application Notes In Protection Profiles Are Informative Only

 
TYPE:                 NIAP Interpretation
NUMBER:               I-0364
STATUS:               Formally Superseded

TITLE:                Application Notes In Protection Profiles Are Informative
                      Only
SUPERSEDED BY:        
     I-0421           Application Notes In Protection Profiles Are Informative Only

EFFECTIVE:            2000-03-27
SUPERSEDED:           2001-06-22

SOURCE REFERENCE:     CC v2.1 Part 1 Subclause B.2.7
                      CC v2.1 Part 3 Clause 4 APE
RELATED TO:           <None>
CCIMB ENTRY:          CCIMB-INTERP-0108

STATEMENT

The following interprets Section B.2.7 of Part 1, which states:

B.2.7 Application notes

This optional section may contain additional supporting information that is considered relevant or useful for the construction, evaluation, or use of the TOE.

Application Notes are not normative; they provide information only.

RECOMMENDED CRITERIA CHANGES

To address this interpretation, the following paragraph should be added to Part 1, Section B.2.7.:

Application notes should not contain normative information; rather, they should provide additional clarification or guidance information. It should be clear to what document element (e.g., threats, objectives, component elements) the application note applies, and the application note should be consistent with that document element.

To make Part 3 consistent with Part 1, the following should be added to the APE class:

Application Notes (APE_APP)

Objectives

Application Notes, if present, provide additional clarification or guidance information with respect to document elements (e.g., threats, objectives, component elements) of the PP.

APE_APP.1 Application Note Requirements

Dependencies: No Dependencies

Developer Action Elements:

None, as application notes are optional.

Content and Presentation Elements:

APE_APP.1.1C Application notes, if provided, shall be informative only.

APE_APP.1.2C Application notes, if provided, shall be consistent with the specific elements of the PP to which they apply.

Evaluator Action Elements:

APE_APP.1.1E The evaluator shall confirm that any provided application notes meet all requirements for content and presentation of evidence.

There should be corresponding changes in the CEM to reflect the new Part 3 component.

SUPPORT:

The words in Part 1, Section B.2.7 are potentially misleading with respect to application notes, as the phrase "useful for the ... evaluation" has been read by some to allow normative material in application notes. However, for functional elements, the application notes are contained in the Part 2 Annex, which states at the beginning of the annex:

This annex contains informative guidance for the families and components found in the main body of Part 2, which may be required by users, developers or evaluators to use the components.

Further, Section A.1.2 of the Part 2 Annex clearly notes that any user or evaluator notes are informative (A.1.2.2, A.1.2.3). Section A.1.3.2 notes that the application notes at the component level are "additional refinement in terms of narrative qualification as it pertains to a specific component." Refinement of an informative section can never be normative.

This leads to the conclusion that application notes are informative only, and that any normative material should be expressed through predefined components, refinements of predefined components (such as to specify a specific method of implementation) or explicitly specified requirements.

Further, application notes should not contradict the document element to which they apply. For example, it would be confusing to an evaluator or developer to have an element require only passwords, and the associated application discuss the use of non-password biometric devices. A larger scope of consistency analysis is not required due to transitivity: if the note is consistent with its associated element, and that element is consistent with the remainder of the PP (when called for in the APE requirements), then the application note should be similarly consistent.

Application notes are unique in Part 1, Annex B in that they are not explicitly mentioned in any other document area, and that they are optional. However, practice has allowed them to appear in other document areas. As such, the easiest way to address application notes in Part 3 was to create a new family to address application notes, wherever they may appear.