[Public Interpretations Database]

I-0425: Settable Failure Limits Are Permitted

 
TYPE:                 NIAP Interpretation
NUMBER:               I-0425
STATUS:               Formally Superseded

TITLE:                Settable Failure Limits Are Permitted
SUPERSEDES:
     I-0377           Settable Failure Limits Are Permitted
SUPERSEDED BY:        
     CCIMB-INTERP-0111

EFFECTIVE:            2000-12-05
SUPERSEDED:           2003-10-31

SOURCE REFERENCE:     CC v2.1 Part 2 Subclause 7.1 FIA_AFL
                      CC v2.1 Part 2 Subclause G.1 FIA_AFL
RELATED TO:
     I-0377           Settable Failure Limits Are Permitted
CCIMB ENTRY:          CCIMB-INTERP-0111

ISSUE:

In element FIA_AFL.1.1, the PP/ST author should specify the default number of unsuccessful authentication attempts that, when met or surpassed, will cause the TSF to perform some action or actions. Part 2, Subclause G.1, paragraph 958 states that the PP/ST author may specify that the number is: "an authorised administrator configurable number". However, the wording used in element FIA_AFL.1.1 ("[assignment: number]") does not allow a phrase to be inserted.

STATEMENT

The number of unsuccessful authentication attempts is permitted to be specifiable by an administrator.

RECOMMENDED CRITERIA CHANGES

To address this interpretation, the following changes are made to CC v2.1, Part 2: (additions marked thusly; deletions marked thusly)

  • FIA_AFL.1 is relabeled as FIA_AFL.1-NIAP-0425. Unless otherwise noted in these changes, all normative and informative material associated with FIA_AFL.1 is incorporated unchanged into FIA_AFL.1-NIAP-0425, and all references to FIA_AFL.1 in the CC, CEM, or other Common Criteria documentation is changed to refer to FIA_AFL.1-NIAP-0425.

  • FIA_AFL.1.1 is replaced by the following:

    FIA_AFL.1.1-NIAP-0425: The TSF shall detect when [selection: [assignment: positive integer number], "an authorised administrator configurable integer"] unsuccessful authentication attempts occur related to [assignment: list of authentication events].

  • In Subclause G.1, FIA_AFL.1, Operations, the following is added before the "Assignment" operation:

    Selection:

    In FIA_AFL.1.1-NIAP-0425, the PP/ST author should select either the assignment of a positive integer, or the phrase "an authorised administrator configurable integer".

  • In Subclause G.1, FIA_AFL.1, Operations, paragraph 958 (the first "Assignment") is replaced with the following:

    In FIA_AFL.1.1-NIAP-0425, if the assignment of a positive integer is selected, the PP/ST author should specify the default number (positive integer) of unsuccessful authentication attempts that, when met or surpassed, will trigger the events. The PP/ST author may specify that the number is: "an authorised administrator configurable number".

  • Annex G.1, Paragraph 959 is modified to reference FIA_AFL.1.1-NIAP-0425, instead of FIA_AFL.1.1.

SUPPORT:

This interpretation permits the specification of the number of unauthorised authentication attempts to be specified by the administrator.

This interpretation also addresses an ambiguity in the original words. "Number", as used in the element, could potentially be real or negative. That is inappropriate; it is more precise to call it a positive integer.

Note: This interpretation retains the wording "authorised administrator" for conformity with the original FIA_AFL.1 and its annex material.

Note: This interpretation is superseding a previously-approved formal interpretation primarily to reflect modifications to the interpretation format. The intent of the interpretation has not been changed, although some specifics of the criteria changes or the support may have been clarified or corrected.