Smart Cards and Common Criteria requirements (Class FCO)

Question

There is a class named FCO in security target of Smart Card and Java cards. Below you see two elements of this class :

CM=Card Manager.

FCO_NRO.2.1/CM

The TSF shall enforce the generation of evidence of origin for transmitted application packages at all times.

FCO_NRO.2.2/CM

[Editorially Refined] The TSF shall be able to relate the identity of the originator of the information, and the application package contained in the information to which the evidence applies.

FCO_NRO.2.3/CM

The TSF shall provide a capability to verify the evidence of origin of information to recipient given [assignment: at the time when the package is received because no evidence is kept on the card for future verifications].

The question is, how we can test a card that if it meet this requirements or not? Does the Status Words are the evidences that is mentioned in this class? Or we must write some program to test them?

Answer 1

Common Criteria evaluation is very advanced stuff. Even if the requirements read like English, they are not. The learning curve to correctly read the requirements is steep. The amount of interpretation is enormous, which is one of the reasons, that evaluation is done by professional (and not exactly cheap) companies. Clarify questions like these with the evaluator, which may hint, what can be done by test, what has to be written into which guidance document for your product and where additional (and possibly substantial) written argumentation is possible. If have no experience with card manager evaluation, but I can't imagine, that simple status word evaluation is sufficient any of the given cases.