The CC wording for FDP_IFF.1.1 and FDP_IFF.1.2 is confusing and unclear when it refers to an assignment of "the minimum number and type of security attributes". This is confusing in the area of "minimum number"; the annex fails to clarify this when it refer to a "minimum number...to support the environmental needs". This is unclear in that it seems to call for a simple list of security attributes, without association of security attributes to the controlled entities.

The goal of the ASE_TSS elements is to capture the requirements stated in the normative text in Part 1, Section C.2.9. For the most part, this is true. However, there are two requirements in Section C.2.9 that are not completely captured in ASE_TSS.

Part 1, Section C.2.9 says:

c) The TOE summary specification rationale shall show that the TOE security functions and assurance measures are suitable to meet the TOE security requirements.

The following shall be demonstrated:

1) that the combination of specified TOE IT security functions work together so as to satisfy the TOE security functional requirements;

2) that the strength of TOE function claims made are valid, or that assertions that such claims are unnecessary are valid.

3) that the claim is justified that the stated assurance measures are compliant with the assurance requirements. The statement of rationale shall be presented at a level of detail that matches the level of detail of the definition of the security functions.

The first sentence of C.2.9 "c)" is verbatim in ASE_TSS.1.5C. Item 1 is stated in ASE_TSS.1.6C. Item 2 doesn't appear in ASE_TSS. Item 3 appears in ASE_TSS.1.8C. The last paragraph of C.2.9 "c)" is not addressed in ASE_TSS.

Thus, there are two portions of Part 1 that are not addressed in Part 3: C.2.9 "c)2)" and the second paragraph of C.2.9 "c)".

Interpretation:

The following interprets the ASE_TSS requirements in their interaction with the Part 1 (Annex C) specification of the TOE Summary Specification:

The Part 1 Annex C specification of the TOE Summary Specification is a more complete list of requirements than is found in the ASE_TSS elements in Part 3.

Criteria and/or Methodology Changes: To address this interpretation, the following elements should be added to Part 3:

ASE_TSS.1.11C: The TOE summary specification shall demonstrate that the strength of TOE function claims made are valid, or demonstrate that assertions that such claims are unnecessary are valid. ASE_TSS.1.12C: The TOE summary specification rationale shall be presented at a level of detail that matches the level of detail of the definition of security functions. Additionally, new work units for ASE_TSS should be created in the CEM to address any new Content and Presentation of Evidence elements. Support for Interpretation: This interpretation brings the Part 3 requirements on the TOE Summary Specification into agreement with the Part 1 normative material.