[Zope3-checkins] SVN: Zope3/trunk/doc/security/SecurityTarget.tex Completed the suitability analysis as indicated by observation 2.11.

Christian Theune ct at gocept.com
Thu Nov 8 04:58:31 EST 2007

Log message for revision 81600:
  Completed the suitability analysis as indicated by observation 2.11.
  Re-arranged FIA_UAU.6 a bit to meet our abstractions for authentication

  U   Zope3/trunk/doc/security/SecurityTarget.tex

Modified: Zope3/trunk/doc/security/SecurityTarget.tex
--- Zope3/trunk/doc/security/SecurityTarget.tex	2007-11-07 17:07:03 UTC (rev 81599)
+++ Zope3/trunk/doc/security/SecurityTarget.tex	2007-11-08 09:58:30 UTC (rev 81600)
@@ -922,9 +922,9 @@
 The TSF shall enforce the \emph{Zope access control policy} to objects
-based on \emph{the interaction principal, the permission required for
-the operation and the grants of the privilege for that
-object or it's ancestor objects}.
+based on \emph{the interaction principals, the permission required for
+the operation and the privilege grants for that
+object or its ancestor objects}.
@@ -1084,8 +1084,7 @@
 The TSF may re-authenticate the user under the conditions
 \item {} 
-If the credentials held by the user agent have expired due to
-a configurable time limit.
+If the authentication plugin considers a set of credentials expired or invalid.
 \item {} 
 If the authenticated user does not have the required permissions to
@@ -1095,8 +1094,12 @@
+\textbf{Note:} As Zope uses a pluggable system to provide authentication
+support for various authentication schemes each scheme has the ability to
+decide whether a given set of credentials is expired. The conditions how this
+is decided is specific to the authentication schema and might be based on
+differing conditions or not be implemented at all.
@@ -1503,10 +1506,9 @@
 To determine whether an operation under a given subject is allowed, Zope has an
 authorization subsystem (aka access control). The authorization subsystem uses
-pluggable policies to allow the implementation of different rule sets. Zope
-provides a default security policy called ``zopepolicy''. The security policy
-considered for this certification is called ``sharing policy'' as implemented
-by the ``zc.sharing'' Python package.
+pluggable policies to allow the implementation of different rule sets. The ST
+provides a security policy called ``sharing policy'' which is configured by
+default.  The policy is implemented by the ``zc.sharing'' Python package.
 Policies implement a method `checkPermission' to determine whether the
 requested access is allowed or not. Policies define the information required to
@@ -2120,7 +2122,7 @@
 FIA\_AFL\_z.1       &            &  \oh           &               &          &               &                        & \oh                &                 &                    \\   
-FIA\_ATD.1          &            &                &               &          & \oh           &                        &                    &                 &                    \\   
+FIA\_ATD.1          &            & \oh            &  \oh          &          & \oh           &                        &                    &                 &                    \\   
 FIA\_UAU.1          &            &                &               &          &               &                        & \oh                &                 &                    \\   
@@ -2146,8 +2148,6 @@
 FPT\_RVM.1          & \oh        &                &               &          &               &                        &  \oh               &                 &                    \\   
-FPT\_FLS.1          &            &                &               &          &               &     \oh                &                    &                 &                    \\   
 FPT\_SEP.1          &  \oh       &                &               &          &               &                        &                    &                 &                    \\ 
 FPT\_STM.1          &            &                &               &          &               &                        &                    &                 &   \oh              \\       
@@ -2158,6 +2158,21 @@
 \subsubsection{Suitability of SF to meet the SFRs}
+\minisec{FAU\_GEN.1 --- Audit data generation}
+Audit data is generated by the \textbf{Auditing} subsystem. Zope's event
+framework is used for standardized event communication using an interface
+description conforming to the required data set. This interface is
+systematically enforced and guarantees that all events received provide the
+required data fields.
+\minisec{FAU\_GEN.2 --- User identity assocation}
+Events received by the \textbf{Auditing} subsystem are correlated by the
+Auditing subsystem to the current interaction (and thus the current
+principals). This guarantees that the user identity associated with an event
+happens and is correct.
 \minisec{FDP\_ACC.2 --- Complete Access Control}
 Complete access control is achieved by the \textbf{Protection} subsystem. The
@@ -2167,7 +2182,12 @@
 When an interaction accesses a proxied object, the protection subsystem
 becomes effective and regulates access.
+\minisec{FDP\_ACF.1 --- Security attribute based access control}
+The rules described for ``Security attribute based access control'' are
+implemented by the ``sharing policy'' as described by the
+\textbf{Authorization} subsystem.
 \minisec{FDP\_ROL.2\_TRANSACTIONS --- Advanced Rollback}
 The \textbf{Transaction management} of ZODB allows rollback of transaction. The
@@ -2190,8 +2210,20 @@
 \textbf{Authentication} subsystem may not be able to distinguish two requests
 to be different user initiated requests or started off at another point in the
+\minisec{FIA\_ATD.1 --- User attribute definition}
+The user attributes as required by FIA\_ATD.1 are defined in Python interfaces
+by the \textbf{Authentication} and \textbf{Authorization} subsystems. All
+specific user definition plugins must adhere to those interfaces and provide a
+unique id for each principal, store credentials (specific to their
+authentication mechanism). The sharing policy as defined by the
+\textbf{Authorization} subsystem is responsible for storing the privilege
+grant information.
+The \textbf{Configuration} subsystem provides an implementation of those
+interfaces for definining the initial set of users.
 \minisec{FIA\_UAU.1, FIA\_UID.1 --- Timing of authentication and identification}
 The \textbf{Publication} subsystem detects provided credentials and existing
@@ -2218,12 +2250,15 @@
 If an operation could not be performed due to missing permission grants, the
 \textbf{Publication} subsystem may -- instead of denying further operation --
 ask the user to provide other credentials to authenticate for a different
-\emph{Note:} This is implemented by the same scheme that is used to initially
+principal. (This is implemented by the same scheme that is used to initially
 retrieve credentials from a user when the operation could not be performed by
-the anonymous principal.
+the anonymous principal.)
+The \textbf{Authentication} subsystem is able to re-challenge a user to
+provide new credentials in the case that a given set of credentials is expired
+or invalid.
 \minisec{FIA\_USB.1 --- User-Subject Binding}
 When the \textbf{Publication} system sets up to perform an operation, it
@@ -2294,6 +2329,19 @@
 Other roles are defined as privileges, too.
+\minisec{FPT\_AMT.1 --- Abstract machine testing}
+The \textbf{Automated tests} subsystem provides executable (Python) code that
+is used to verify that provided components adhere to the interfaces they
+The tests are partially accompanied with documentation that explain their
+goals and the edge cases of specific situations.
+The tests for the ST can be run at any point in time without interfering with
+a running system and can therefore be used to prove that validity of the code
+in use.
 \minisec{FPT\_RVM.1 --- Non-bypassability of the TSP}
 The concept of the \textbf{Protection} system is to put a layer of protection
@@ -2312,6 +2360,13 @@
 the Protection system will prevent the elevation of privileges by assuring that
 the layer of security proxies is installed and effective.
+\minisec{FPT\_STM.1 --- Reliable time stamps}
+Reliable time stamps are provided through a Python API which relies on the
+correct system time provided by the operating system. The subsystem
+\textbf{Python environment} covers this requirement and is complemented by the
+requirement for the environment \textbf{RENV.Linux}.
 \subsection{Assurance measures}
 The assurance measures are selected in accordance to EAL 1. Additionally due to

More information about the Zope3-Checkins mailing list