In the OSPP v4.3, the test cases in FIA_AFL.1 are not marked as conditional when, in fact, they should be, as the mechanisms are optional/selectable in FIA_AFL.1 and FIA_UAU.5, and test case 55 specifies a combination that cannot be selected.

The following modifications are made to Section 5.1.6 of PP_OS_4.3:

An Application Note is added for FIA_AFL.1.1 as follows, with underlines denoting additions:

Application Note: Selections in FIA_AFL1. and FIA_UAU.5 must match.

The Evaluation Activities for FIA_AFL.1 are modified as follows, with strikethroughs denoting deletions and underlines denoting additions:

Tests

The evaluator will set an administrator-configurable threshold for failed attempts, or note the

ST-specified assignment. The evaluator will then (per selection) repeatedly attempt to

authenticate with an incorrect password, PIN, or certificate until the number of attempts

reaches the threshold. Note that the authentication attempts and lockouts must also be logged

as specified in FAU_GEN.1.

- Test 53 [conditional, to be performed if "authentication based on user name and password"

is selected in FIA_AFL.1 and FIA_UAU.5]: The evaluator will attempt to authenticate repeatedly to the system with a known

bad password. Once the defined number of failed authentication attempts has been reached

the evaluator will ensure that the account that was being used for testing has had the

actions detailed in the assignment list above applied to it. The evaluator will ensure that an

event has been logged to the security event log detailing that the account has had these

actions applied.

- Test 54 [conditional, to be performed if "authentication based on user name and a PIN that releases an

asymmetric key stored in OE-protected storage" is selected in FIA_AFL.1 and FIA_UAU.5]:

The evaluator will attempt to authenticate repeatedly to the system with a known

bad certificate PIN. Once the defined number of failed authentication attempts has been

reached the evaluator will ensure that the account that was being used for testing has had

the actions detailed in the assignment list above applied to it. The evaluator will ensure that

an event has been logged to the security event log detailing that the account has had these

actions applied.

- Test 55 [conditional, to be performed if "authentication based on X.509 certificates" is selected in

FIA_AFL.1 and FIA_UAU.5]: The evaluator will attempt to authenticate repeatedly to the system using both a

bad password and a known bad certificate. Once the defined number of failed authentication

attempts has been reached the evaluator will ensure that the account that was being used

for testing has had the actions detailed in the assignment list above applied to it. The

evaluator will ensure that an event has been logged to the security event log detailing that

the account has had these actions applied.

See issue description.