NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0035:  Alignment of FTP_ITC.1. to NDPP V1.1 Errata #3

Publication Date
2015.02.25

Protection Profiles
PP_ND_V1.1, PP_ND_VPN_GW_EP_v1.1

Other References
PP_ND_VPN_GW_EP_V1.1, requirement FTP_ITC.1; PP_ND_V1.1_ERR3, requirement FTP_ITC.1

Issue Description

FTP_ITC.1.1 in the CSfC selection document (based on NDPP Errata #3) currently reads:

 The TSF shall use [IPsec] to provide a trusted communication channel between itself and authorized IT entities supporting the following capabilities: audit server, [selection: authentication server, assignment: [other capabilities]] that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data.

 Whereas FTP_ITC.1.1 in the VPN GW EP v1.1 document currently reads:

 The TSF shall use IPsec, and [selection: SSH, TLS, TLS/HTTPS, no other protocols] to provide a trusted communication channel between itself and all authorized IT entities that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data.

It is not clear which instance of the SFR should be used in the ST when pursuing CSfC validation.

Resolution

FTP_ITC.1.1 in the VPN GW EP V1.1 should be rewritten as follows to match the same same requirement in NDPP V1.1 Errata #3:

Refinement: The TSF shall use [selection: IPsec, SSH, TLS, TLS/HTTPS] to provide a trusted communication channel between itself and authorized IT entities supporting the following capabilities: audit server, [selection: authentication server, assignment: [other capabilities]] that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data.

Justification

FTP_ITC.1.1 in the NDPP was updated by Errata #3, which is what CSfC cites in their selections.  FTP_ITC.1.1 in the VPN GW EP should have been updated at the same time so that it inherited the list of "authorized IT entities" in NDPP.

 
 
Site Map              Contact Us              Home