TD0301: Updates to Administrator Management and Biometric Authenication
The Assurance Activity for FMT_SMF_EXT.3 in Appendix C adds additional actions that are not found in the SFR text.
For FIA_BMG_EXT.1.1, vendors shoud be allowed to assign their particular FAR as opposed to being forced to select one from the list.
In Table 14 in Appendix H (H.1.3), the number of test subjects is incorrect in the corresponding row for 1:1,000,000.
MD PP v3.1 will be updated as follows:
1. The Assurance Activity for FMT_SMF_EXT.3 in Appendix C is replaced as follows:
The evaluator shall cause the TOE to be enrolled into management. The evaluator shall then invoke this mechanism and verify the ability to view that the device has been enrolled, view the management functions that the administrator is authorized to perform.
2. FIA_BMG_EXT.1.1 is modified as follows:
The Application Note is replaced is follows:
Application Note: If a BAF or "hybrid" is selected in FIA_UAU.5.1, FIA_BMG_EXT.1.1 must be included in the ST. The assignment shall be completed for each biometric modality selected in FIA_UAU.5.1. If multiple biometric modalities are selected in FIA_UAU.5.1, it is acceptable for each modality to have a different FAR and FRR.
The evaluator shall verify that the TSS contains evidence supporting the testing and calculations completed to determine the FAR and FRR. Appendix H provides guidance to how this testing could be completed and to what error bars are expected when the Rule of 3 is applied. The evaluator shall consult Appendix H as a reference, but should not treat it as a mandate. The evaluator shall verify that the TSS contains evidence of whether online or offline testing was used. If offline testing was completed, evidence describing the differences between the biometric system used for testing and the TOE in the evaluated configuration, if any must be included.
The following documentation is not required to be part of the TSS - it may be submitted as a separate proprietary document. The evaluator shall verify the evidence includes how many imposters were used for testing and that the testing describes how imposters are compared to enrolled users, for example, if multiple devices for online testing or full cross-comparison for offline testing was used. Adequate documentation is required to demonstrate that testing was completed to support the claimed FAR and FRR.
3. Table 14 in Appendix H (H.1.3) is replaced as follows:
See issue description.