![[Public Interpretations Database]](/assets/images/public-interps.jpg){kind=small}
I-0421: Application Notes In Protection Profiles Are Informative Only
TYPE: Guidance
NUMBER: I-0421
STATUS: Approved, Acceptable to CCIMB, No CCIMB Interpretation
TITLE: Application Notes In Protection Profiles Are Informative
Only
SUPERSEDES:
I-0364 Application Notes In Protection Profiles Are Informative Only
EFFECTIVE: 2001-06-22
SOURCE REFERENCE: CC v2.1 Part 1 Subclause B.2.7
CC v2.1 Part 3 Clause 4 APE
CEM v1.0 Part 2 Clause 3
RELATED TO:
I-0364 Application Notes In Protection Profiles Are Informative Only
CCIMB ENTRY: CCIMB-INTERP-0108
ISSUE:
Application notes in PPs, because they are intended to be informative, should not contain normative text and should not conflict with the normative portions of a PP.STATEMENT
Application notes in PPs are not normative; they provide information only.SPECIFIC INTERPRETATION
[Note: The changes stated below are ADVISORY ONLY, and represent one approach to addressing the guidance in the statement. Other approaches that achieve the same goal are acceptable.]
To address this interpretation, the following changes are made to CC v2.1, and to the CEM, v1.0:
- Add the following paragraph to CC Part 1, Section B.2.7., following
the existing paragraph number 200:
Application notes shall not contain normative information; rather, they should provide additional clarification or guidance information. It shall be clear to what document portion (e.g., threats, objectives, component elements) the application note applies, and the application note shall be consistent with that portion of the PP.
- Add the following new family to CC Part 3, Class APE: Protection Profile
evaluation, Clause 4, as section 4.1-NIAP-0421:
Application notes (APE_NIAP-0421-APP)
Objectives
Application notes, if present, provide additional clarification or guidance information with respect to document portions (e.g., threats, objectives, component elements) of the PP.
APE_NIAP-0421-APP.1 Application notes, Evaluation requirements
Dependencies: No dependencies
Developer action elements:
APE_NIAP-0421-APP.1.1D The developer shall provide any application notes as part of the PP.
Content and presentation of evidence elements:
APE_NIAP-0421-APP.1.1C Application notes, if provided, shall be informative only.
APE_NIAP-0421-APP.1.2C Application notes, if provided, shall be consistent with the specific portions of the PP to which they apply.
Evaluator action elements:
APE_NIAP-0421-APP.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence.
- Add the following paragraph to CEM Part 2, Chapter 3, following the
existing section heading 3.4:
3.4.NIAP-0421-APP Evaluation of application notes (APE_NIAP-0421-APP.1)
3.4.NIAP-0421-APP.1 Objectives
The objective of this sub-activity is to determine that any application notes included in the PP are not normative, and that they are consistent with the other portions of the PP.
3.4.NIAP-0421-APP.2 Input
The evaluation evidence for this sub-activity is:
- the PP
3.4.NIAP-0421-APP.3 Evaluator actions
This sub-activity comprises one CC Part 3 evaluator action element:
- APE_NIAP-0421-APP.1.1E
3.4.NIAP-0421-APP.3.1 Action APE_NIAP-0421-APP.1.1E
APE_NIAP-0421-APP.1.1C
APE_NIAP-0421-APP.1-1 The evaluator shall examine each application note to determine that the application note is informative only.
If there are no application notes present in the PP, this work unit is not applicable and is therefore considered to be satisfied.
The evaluator determines that any application notes that exist in a PP provide informative text only. An application note may provide additional clarification and guidance information on the elements with which the application note is associated. The application notes may be used to explain the nature of the elements of the component.
An application note that might change the way a PP element is applied, or one that would strengthen or relax the requirements of an element, is likely to be normative and therefore not permitted.
APE_NIAP-0421-APP.1-2 The evaluator shall check that each application note in the PP is clearly associated with the specific portions of the PP to which it applies.
If there are no application notes present in the PP, this work unit is not applicable and is therefore considered to be satisfied.
The purpose of this work unit is to make sure it is clear which application notes in a PP are being associated with which specific portions of the PP.
For instance, a mapping of application notes to the portions of the PP they are associated with in the PP could be satisfactory to accomplish this. This could be done with a table or by simply having the application note written below the portion of the PP to which that application note applies.
APE_NIAP-0421-APP.1-3 The evaluator shall examine each application note and determine that it is consistent with the portions of the PP to which it applies.
If there are no application notes present in the PP, this work unit is not applicable and is therefore considered to be satisfied.
The evaluator determines that each application note associated with a specific portion of a PP is consistent with the content of that portion. APE_NIAP-0421-APP.1-2 allows the evaluator to determine the association between application notes and the portions of the PP to which they apply, and this work unit allows the evaluator to determine that the application notes are consistent with those portions.
The evaluator does not need to determine that the application note is consistent with all parts of the PP. There are other work units that are used to ensure the consistency of the other portions of the PP; if the application note is consistent with that portion of the PP to which it applies, it will therefore also be consistent with other portions of the PP.
For guidance on consistency analysis see Annex B.3.
SUPPORT:
The words in Part 1, Section B.2.7 are potentially misleading with respect to application notes, as the phrase "useful for the ... evaluation" has been read by some to allow normative material in application notes. However, for functional elements, the application notes are contained in the Part 2 Annex, which states at the beginning of the annex:This annex contains informative guidance for the families and components found in the main body of Part 2, which may be required by users, developers or evaluators to use the components.
Further, Section A.1.2 of the Part 2 Annex clearly notes that any user or evaluator notes are informative (A.1.2.2, A.1.2.3). Section A.1.3.2 notes that the application notes at the component level are "additional refinement in terms of narrative qualification as it pertains to a specific component." Refinement of an informative section can never be normative.
This leads to the conclusion that application notes are informative only, and that any normative material should be expressed through predefined components, refinements of predefined components (such as to specify a specific method of implementation) or explicitly specified requirements.
Further, application notes should not contradict the document element to which they apply. For example, it would be confusing to an evaluator or developer to have an element require only passwords, and the associated application discuss the use of non-password biometric devices. A larger scope of consistency analysis is not required due to transitivity: if the note is consistent with its associated element, and that element is consistent with the remainder of the PP (when called for in the APE requirements), then the application note should be similarly consistent.
Application notes are unique in Part 1, Annex B in that they are not explicitly mentioned in any other document area, and in that they are optional. However, practice has allowed them to appear in other document areas. As such, the easiest way to address application notes in Part 3 was to create a new family to address application notes, wherever they may appear.
Note: This interpretation is superseding a previously-approved formal interpretation primarily to reflect modifications to the interpretation format. The intent of the interpretation has not been changed, although some specifics of the criteria changes or the support may have been clarified or corrected.
2003-08: The CCIMB issued the following statement on CCIMB-RI-0108, which corresponds to I-0421:
The intent of RI-108 is agreed upon by the CCIMB, but not the specific approach.
The CCIMB disagrees with the need to insert the additional information on application notes into APE as proposed by this national interpretation. However, they agreed that the role of application notes in Protection Profiles needed to be clarified. This clarification has been included in the resolution to RI-222.
This National Interpretation partly arises from a misunderstanding of the use of the term "normative," confusing "normative" with "mandatory." This has been clarified in the resolution to RI-222.
The rewrite of ASE and APE (via the resolution to RI-215) addresses the use of application notes in Protection Profile.