Раздел: Документация
0 ... 88 89 90 91 92 93 94 ... 117 Operations Assignment: In FIAUAU.5.1, the PP/ST author should define the available authentication mechanisms. An example of such a list could be: "none, password mechanism, biometric (retinal scan), S/key mechanism". In FIAUAU.5.2, the PP/ST author should specify the rules that describe how the authentication mechanisms provide authentication and when each is to be used. This means that for each situation the set of mechanisms that might be used for authenticating the user must be described. An example of a list of such rules is: "if the user has special privileges a password mechanism and a biometric mechanism both shall be used, with success only if both succeed; for all other users a password mechanism shall be used." The PP/ST author might give the boundaries within which the authorised administrator may specify specific rules. An example of a rule is: "the user shall always be authenticated by means of a token; the administrator might specify additional authentication mechanisms that also must be used." The PP/ST author also might choose not to specify any boundaries but leave the authentication mechanisms and their rules completely up to the authorised administrator. FIAUAU.6 Re-authenticating User application notes This component addresses potential needs to re-authenticate users at defined points in time. These may include user requests for the TSF to perform security relevant actions, as well as requests from non-TSF entities for re-authentication (e.g. a server application requesting that the TSF re-authenticate the client it is serving). Operations Assignment: In FIAUAU.6.1, the PP/ST author should specify the list of conditions requiring re-authentication. This list could include a specified user inactivity period that has elapsed, the user requesting a change in active security attributes, or the user requesting the TSF to perform some security critical function. The PP/ST author might give the boundaries within which the reauthentication should occur and leave the specifics to the authorised administrator. An example of such a rule is: "the user shall always be re-authenticated at least once a day; the administrator might specify that the re-authentication should happen more often but not more often than once every 10 minutes." FIAUAU.7 Protected authentication feedback User application notes This component addresses the feedback on the authentication process that will be provided to the user. In some systems the feedback consists of indicating how many characters have been typed but not showing the characters themselves, in other systems even this information might not be appropriate. This component requires that the authentication data is not provided as-is back to the user. In a workstation environment, it could display a dummy (e.g. star) for each password character provided, and not the original character. Operations Assignment: In FIAUAU.7.1, the PP/ST author should specify the feedback related to the authentication process that will be provided to the user. An example ofa feedback assignment is "the number of characters typed", another type of feedback is "the authentication mechanism that failed the authentication". G.5 User identification (FIAJJID) This family defines the conditions under which users are required to identify themselves before performing any other actions that are to be mediated by the TSF and that require user identification. FIAUID.1 Timing of identification User application notes This component poses requirements for the user to be identified. The PP/ST author can indicate specific actions that can be performed before the identification takes place. If FIAUID.1 is used, the TSF-mediated actions mentioned in FIAUID.1 should also appear in this FIAUAU. 1. Operations Assignment: In FIAUID.1.1, the PP/ST author should specify a list of TSF-mediated actions that can be performed by the TSF on behalf of a user before the user has to identify itself. If no actions are appropriate, component FIAUID.2 should be used instead. An example of such an action might include the request for help on the login procedure. FIAUID.2 User identification before any action User application notes In this component users will be identified. A user is not allowed by the TSF to perform any action before being identified. 0 ... 88 89 90 91 92 93 94 ... 117
|
