-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CCMB cPP/SD comments #16
Comments
[Comment]HCDcPP 3.4.1.2 2nd paragraph ed The whole 2nd paragraph (The evaluator shall check to ensure that the operational guidance describes the type(s) of overwrite of user document data) is not relevant to the FTP_TRP.1/NonAdmin Trusted path SFR. This text is already included in HCDcPP Section 4.1.1.2. [Response]Agree, para 2 it is not relevant (overwrite) to TRP and appears to be a mistake. [Suggestion]Remove Para 2 |
[Comment]HCDcPP 5.2.6.3.1 Last paragraph ed The paragraph (Now the HCD iTC has taken the text of the,,, in the HCD SD) looks like metadata that accidentally appeared in the main text. [Response]Agree, last para is not relevant to the activity and appears to be a comment from the drafting of the PP. [Suggestion]Remove last para. [Question]Have the requested changes been made to section 5.2.5? |
[Comment]HCDcPP A.3 First dot point after “The public facing report contains:” te The text mentions that flaw identifiers returned from searches of public sources should be listed. These raw search results are typically low quality information that may not be helpful to reproduce and thus should not be included in public facing reports. [Response]Agree. Listing the flaw identifiers (i..e CVEs) is not useful, but search terms and sources are. Listing the search terms and sources allows consumers to replicate the search themselves and provides a degree of future proofing (since consumers know something of what is in the TOE from the search terms). [Suggestion]Replace with statement regarding search terms/sources such as, The terms and sources used when the procedures for searching public sources were followed according to instructions in the Supporting Document per Section A.1.1, “Type 1 Hypotheses - Public-Vulnerability-based”; |
The fix to issue #16 is available here: |
This issue is addressed by the following TD:
The TD above is located at the following location: |
These are comments the CCMB raised, nothing serious.
HCDcPP 3.4.1.2 2nd paragraph ed The whole 2nd paragraph (The evaluator shall check to ensure that the operational guidance describes the type(s) of overwrite of user document data) is not relevant to the FTP_TRP.1/NonAdmin Trusted path SFR. This text is already included in HCDcPP Section 4.1.1.2.
HCDcPP 5.2.6.3.1 Last paragraph ed The paragraph (Now the HCD iTC has taken the text of the,,, in the HCD SD) looks like metadata that accidentally appeared in the main text.
HCDcPP A.3 First dot point after “The public facing report contains:” te The text mentions that flaw identifiers returned from searches of public sources should be listed. These raw search results are typically low quality information that may not be helpful to reproduce and thus should not be included in public facing reports.
The text was updated successfully, but these errors were encountered: