THIS TD SUPERSEDES TD0122. CHANGED "AUTH CREDENTIALS" TO "AUTH FACTORS" IN THE SELECTION.
The FMT_SMF.1.1 SFR within the SWFE EP v1.0 is modified as follows:
FMT_SMF.1.1:
The TSF shall be capable of performing the following management functions:
[selection:
no other function;
configure password/passphrase complexity setting;
configure cyrptographic functionatily;
change password/passphrase authentication factors;
disable key recovery functionality;
[assignment: other management functions provided by the TSF]
].
As the Application Software PP already includes FMT_SMF.1, the ST author should combine the selections (and assignment, if performed) with those in the FMT_SMF.1 requirement in the Application Software PP to form a single FMT_SMF.1 SFR in the ST. The intent of this requirement is to express the management capabilities that may be included in the TOE. Several common options are given:
• If password or passphrase authorization factors are implemented by the TOE, then the appropriate “change” selection must be included, along with FIA_FCT_EXT.1(2) from Appendix C.
• If the TOE provides for a password/passphrase complexity setting, then “configure password/passphrase complexity setting” will be included, and the specifics of the functionality offered can either be written from the requirement as bullets points, or included in the TSS.
• If the TOE provides configurability of the cryptographic functions (for example, key size of the FEK)—even if the configuration is the form of parameters that may be passed to cryptographic functionality implement on the TOE platform--then “configure cryptographic functionality” will be included, and the specifics of the functionality offered can either be written in this requirement as bullet points, or included in the TSS.
• If the TOE does include a key recovery function, the TOE must provide the capability for the user to turn this functionality off so that no recovery key is generated and no keys are permitted to be exported.
• If “other management functions” are assigned, a validation authority must be consulted to ensure the assurance activities and other functionality requirements that may be needed are appropriately specified so that the ST can claim conformance to this EP.
The Assurance Activites remain the same.
The assignments for "no other function; configure password/passphrase complexity setting; configure cryptographic functionality" were meant to be additional selection items, and only other management functions provided by the TSF is meant to be within the assignment operation. Changing "authentication credentials" to "authentication factors" is more in line with the intent of the SFR.
