F2009VE 14

From MozillaWiki
Revision as of 18:13, 16 November 2011 by Relyea (talk | contribs) (Created page with "==VE14.01.01== <P ALIGN=LEFT STYLE="margin-top: 0.11in; margin-bottom: 0in"><FONT COLOR="#000000"><FONT FACE="Times New Roman, Times New Roman, serif"><FONT SIZE=3><B><FONT SIZE=...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

VE14.01.01

VE14.01.01 A diagram or image of the physical cryptographic module (if appropriate) shall be included in the security policy. The image may be used to indicate the security relevant features of the cryptographic module (e.g., tamper evidence, status indicator(s), user interface(s), power connection(s), etc).

AS14.02: (Levels 1, 2, 3, and 4)The cryptographic module security policy shall consist of: a specification of the security rules, under which the cryptographic module shall operate, including the security rules derived from the requirements of the standard and the additional security rules imposed by the vendor. Note: This assertion is tested as part of AS14.05-AS14.09.

AS14.03: (Levels 1, 2, 3, and 4) The specification shall be sufficiently detailed to answer the following questions:

  • What access does operator X, performing service Y while in role Z, have to security-relevant data item W for every role, service, and security-relevant data item contained in the cryptographic module?
  • What physical mechanisms are implemented to protect the cryptographic module and what actions are required to ensure that the physical security of the module is maintained?
  • What security mechanisms are implemented in the cryptographic module to mitigate against attacks for which testable requirements are not defined in the standard?


Note: This assertion is tested as part of AS14.05-AS14.09.

AS14.04: (Levels 1, 2, 3, and 4)The cryptographic module security policy shall be expressed in terms of roles, services, and cryptographic keys and CSPs. At a minimum, the following shall be specified:

  • an identification and authentication (I&A) policy,
  • an access control policy,
  • a physical security policy, and
  • a security policy for mitigation of other attacks.


Note: This assertion is tested as part of AS14.05-AS14.09.

AS14.05: (Levels 1, 2, 3, and 4)The cryptographic module security policy shall specify an identification and authentication policy, including

  • all roles (e.g., user, crypto officer, and maintenance) and associated type of authentication (e.g., identity-based, role-based, or none) and
  • the authentication data required of each role or operator (e.g., password or biometric data) and the corresponding strength of the authentication mechanism.

Retrieved from "https://wiki.mozilla.org/index.php?title=F2009VE_14&oldid=370207"