[Zope3-checkins] CVS: Zope3/doc/security - SecurityTarget.html:1.1 SecurityTarget.txt:1.1 default.css:1.1 security.ssd:1.1 security_extended.ssd:1.1 ASE.txt:NONE

Christian Theune ct@gocept.com
Mon, 14 Jul 2003 17:14:20 -0400


Update of /cvs-repository/Zope3/doc/security
In directory cvs.zope.org:/tmp/cvs-serv16231

Added Files:
	SecurityTarget.html SecurityTarget.txt default.css 
	security.ssd security_extended.ssd 
Removed Files:
	ASE.txt 
Log Message:
This is the first checkin after the workshop with the
TUV-IT. It contains the draft for the first document we
have to deliver: the Security Target description.

It is written in restructured text and is put into the
archive as a converted html file for convenience.

There also are two diagrams that display the components
involved with security. One is a little bit more in depth.

If you have any questions regarding the Zope 3 security
evaluations, please check http://dev.zope.org/Wikis/DevSite/Projects/ComponentArchitecture/Zope3SecurityEvaluation


=== Added File Zope3/doc/security/SecurityTarget.html ===
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="Docutils 0.2.8: http://docutils.sourceforge.net/" />
<title>Zope X3 Security Target for EAL 1</title>
<meta name="date" content="$Date: 2003/07/14 21:14:12 $" />
<meta name="author" content="Steve Alexander &lt;steve&#64;catbox.net&gt;" />
<meta name="author" content="Christian Theune &lt;ct&#64;gocept.com&gt;" />
<link rel="stylesheet" href="default.css" type="text/css" />
</head>
<body>
<div class="document" id="zope-x3-security-target-for-eal-1">
<h1 class="title">Zope X3 Security Target for EAL 1</h1>
<table class="docinfo" frame="void" rules="none">
<col class="docinfo-name" />
<col class="docinfo-content" />
<tbody valign="top">
<tr><th class="docinfo-name">Version:</th>
<td>$Version$ (Draft)</td></tr>
<tr><th class="docinfo-name">Date:</th>
<td>$Date: 2003/07/14 21:14:12 $</td></tr>
<tr><th class="docinfo-name">Author:</th>
<td>Steve Alexander &lt;steve&#64;catbox.net&gt;</td></tr>
<tr><th class="docinfo-name">Author:</th>
<td>Christian Theune &lt;ct&#64;gocept.com&gt;</td></tr>
<tr class="field"><th class="docinfo-name">DocumentID:</th><td class="field-body">ST_ZOPE_001</td>
</tr>
</tbody>
</table>
<div class="contents topic" id="contents">
<p class="topic-title"><a name="contents">Contents</a></p>
<ul class="simple">
<li><a class="reference" href="#st-introduction" id="id1" name="id1">ST introduction</a><ul>
<li><a class="reference" href="#st-identification" id="id2" name="id2">ST identification</a></li>
<li><a class="reference" href="#st-overview" id="id3" name="id3">ST overview</a></li>
<li><a class="reference" href="#iso-iec-15408-cc-conformance" id="id4" name="id4">ISO/IEC 15408 (CC) Conformance</a></li>
</ul>
</li>
<li><a class="reference" href="#toe-description" id="id5" name="id5">TOE description</a><ul>
<li><a class="reference" href="#overview" id="id6" name="id6">Overview</a></li>
<li><a class="reference" href="#toe-definition" id="id7" name="id7">TOE definition</a></li>
<li><a class="reference" href="#toe-development-and-production" id="id8" name="id8">TOE Development and Production</a></li>
<li><a class="reference" href="#toe-life-cycle" id="id9" name="id9">TOE Life Cycle</a></li>
<li><a class="reference" href="#toe-boundaries" id="id10" name="id10">TOE Boundaries</a><ul>
<li><a class="reference" href="#physical-boundaries" id="id11" name="id11">Physical Boundaries</a></li>
<li><a class="reference" href="#toe-logical-boundaries" id="id12" name="id12">TOE Logical Boundaries</a></li>
</ul>
</li>
</ul>
</li>
<li><a class="reference" href="#toe-security-environment" id="id13" name="id13">TOE security environment</a><ul>
<li><a class="reference" href="#assets" id="id14" name="id14">Assets</a></li>
<li><a class="reference" href="#subjects" id="id15" name="id15">Subjects</a></li>
<li><a class="reference" href="#operations" id="id16" name="id16">Operations</a></li>
<li><a class="reference" href="#assumptions-about-the-environment" id="id17" name="id17">Assumptions (about the environment)</a></li>
<li><a class="reference" href="#threats" id="id18" name="id18">Threats</a></li>
<li><a class="reference" href="#organisational-security-policies" id="id19" name="id19">Organisational security policies</a></li>
</ul>
</li>
<li><a class="reference" href="#security-objectives" id="id20" name="id20">Security Objectives</a><ul>
<li><a class="reference" href="#security-objectives-for-the-toe" id="id21" name="id21">Security objectives for the TOE</a></li>
<li><a class="reference" href="#security-objectives-for-the-environment" id="id22" name="id22">Security objectives for the environment</a></li>
</ul>
</li>
<li><a class="reference" href="#security-requirements" id="id23" name="id23">Security requirements</a><ul>
<li><a class="reference" href="#toe-security-requirements" id="id24" name="id24">TOE security requirements</a><ul>
<li><a class="reference" href="#toe-security-functional-requirements" id="id25" name="id25">TOE security functional requirements</a><ul>
<li><a class="reference" href="#class-fau-audit-data-generation" id="id26" name="id26">Class FAU: Audit data generation</a></li>
<li><a class="reference" href="#class-fdp-data-protection" id="id27" name="id27">Class FDP: Data protection</a><ul>
<li><a class="reference" href="#fdp-acc-2-complete-access-control" id="id28" name="id28">FDP_ACC.2 Complete access control</a></li>
<li><a class="reference" href="#fdp-acf-1" id="id29" name="id29">FDP_ACF.1</a></li>
<li><a class="reference" href="#fdp-etc-2" id="id30" name="id30">FDP_ETC.2</a></li>
<li><a class="reference" href="#fdp-itc-1" id="id31" name="id31">FDP_ITC.1</a></li>
<li><a class="reference" href="#fdp-itc-2" id="id32" name="id32">FDP_ITC.2</a></li>
<li><a class="reference" href="#fdp-rip-1-subset-residual-information-protection" id="id33" name="id33">FDP_RIP.1 Subset residual information protection</a></li>
<li><a class="reference" href="#fdp-rol-2-transactions-advanced-rollback" id="id34" name="id34">FDP_ROL.2_TRANSACTIONS Advanced Rollback</a></li>
<li><a class="reference" href="#fdp-rol-1-undo-basic-rollback" id="id35" name="id35">FDP_ROL.1_UNDO Basic rollback</a></li>
</ul>
</li>
<li><a class="reference" href="#class-fia-identification-and-authentication" id="id36" name="id36">Class FIA: Identification and authentication</a><ul>
<li><a class="reference" href="#fia-atd-1-user-attribute-definition" id="id37" name="id37">FIA_ATD.1 User attribute definition</a></li>
<li><a class="reference" href="#fia-uau-1-timing-of-authentication" id="id38" name="id38">FIA_UAU.1 Timing of authentication</a></li>
<li><a class="reference" href="#fia-uau-5" id="id39" name="id39">FIA.UAU.5</a></li>
<li><a class="reference" href="#fia-uau-6-re-authentication" id="id40" name="id40">FIA.UAU.6 Re-authentication</a></li>
<li><a class="reference" href="#fia-uid-1" id="id41" name="id41">FIA_UID.1</a></li>
<li><a class="reference" href="#fia-usb-1-user-subject-binding" id="id42" name="id42">FIA_USB.1 User-subject binding</a></li>
<li><a class="reference" href="#xxx-nice-to-have" id="id43" name="id43">XXX Nice to have:</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li><a class="reference" href="#toe-security-assurance-requirements" id="id44" name="id44">TOE security assurance requirements</a></li>
<li><a class="reference" href="#security-requirements-for-the-it-environment" id="id45" name="id45">Security requirements for the IT environment</a></li>
</ul>
</li>
<li><a class="reference" href="#todo" id="id46" name="id46">TODO</a></li>
</ul>
</div>
<p>$Changes$</p>
<div class="section" id="st-introduction">
<h1><a class="toc-backref" href="#id1" name="st-introduction">ST introduction</a></h1>
<div class="section" id="st-identification">
<h2><a class="toc-backref" href="#id2" name="st-identification">ST identification</a></h2>
<table class="field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field"><th class="field-name">Document Title:</th><td class="field-body">Zope X3, Security target</td>
</tr>
<tr class="field"><th class="field-name">Document ID:</th><td class="field-body">ST_ZOPE_001</td>
</tr>
<tr class="field"><th class="field-name" colspan="2">Document Version:</th></tr>
<tr><td>&nbsp;</td><td class="field-body">$Version$</td>
</tr>
<tr class="field"><th class="field-name">Origin:</th><td class="field-body"></td>
</tr>
<tr class="field"><th class="field-name">TOE Reference:</th><td class="field-body">Zope X3</td>
</tr>
<tr class="field"><th class="field-name" colspan="2">TOE Commercial Name:</th></tr>
<tr><td>&nbsp;</td><td class="field-body">Zope X3</td>
</tr>
<tr class="field"><th class="field-name" colspan="2">TOE Short Description:</th></tr>
<tr><td>&nbsp;</td><td class="field-body">Platform independent, Python, XXX feature article from zope.org</td>
</tr>
<tr class="field"><th class="field-name">Product Type:</th><td class="field-body">Web Application Server</td>
</tr>
<tr class="field"><th class="field-name" colspan="2">Evaluation Body:</th></tr>
<tr><td>&nbsp;</td><td class="field-body">Evaluation Body of TUV Informationstechnik GmbH, Germany</td>
</tr>
<tr class="field"><th class="field-name" colspan="2">Certification Body:</th></tr>
<tr><td>&nbsp;</td><td class="field-body">Certification Body of TUV Informationstechnik GmbH, Germany</td>
</tr>
</tbody>
</table>
<p>This ST is based upon Common Criteria, Version 2.1 ([CC]).
The TOE consists of the following component:</p>
<blockquote>
<table class="table" frame="border" rules="all">
<colgroup>
<col width="30%" />
<col width="27%" />
<col width="43%" />
</colgroup>
<thead valign="bottom">
<tr><th>Component</th>
<th>Version</th>
<th>Supplier</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>Zope</td>
<td>X3</td>
<td>Zope Corporation</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div class="section" id="st-overview">
<h2><a class="toc-backref" href="#id3" name="st-overview">ST overview</a></h2>
<p>The main objectives of this Security Target are:</p>
<blockquote>
<ul class="simple">
<li>To describe the Target of Evaluation (TOE).</li>
<li>To describe the security environment of the TOE including the assets to
be protected and the threats to be countered by the TOE and its
environment.</li>
<li>To describe the security objectives of the TOE and its supporting
environment.</li>
<li>To specify the Security Requirements, which include the TOE security
functional requirements as of CC, part 2 and the assurance requirements as
of CC, part 3.</li>
<li>To set up the TOE summary specification, which includes the TOE
security functions specifications and the assurance measures.</li>
</ul>
</blockquote>
</div>
<div class="section" id="iso-iec-15408-cc-conformance">
<h2><a class="toc-backref" href="#id4" name="iso-iec-15408-cc-conformance">ISO/IEC 15408 (CC) Conformance</a></h2>
<p>This ST is claimed to be conformant with the ISO/IEC 15408:1999 (Common
Criteria, Version 2.1 with final interpretations, see [CC]) and its following
parts:</p>
<blockquote>
<ul class="simple">
<li>Part 2 and</li>
<li>Part 3, EAL1.</li>
</ul>
</blockquote>
<p>The assurance level is EAL 1.</p>
</div>
</div>
<div class="section" id="toe-description">
<h1><a class="toc-backref" href="#id5" name="toe-description">TOE description</a></h1>
<div class="section" id="overview">
<h2><a class="toc-backref" href="#id6" name="overview">Overview</a></h2>
<p>For b uilding Web application, framework, ...
Functionality should be provided, main structure</p>
</div>
<div class="section" id="toe-definition">
<h2><a class="toc-backref" href="#id7" name="toe-definition">TOE definition</a></h2>
<p>Product type: Web application server software that provides functionality for
restricting operations on objects based on permissions declared to protect
those operations.</p>
<p>Principals are granted permissions both statically via configuration files and
dynamically via settings in the object database.</p>
<p>You can use roles to mediate between principals and permissions.</p>
<p>Principals are authenticated in various way depending on the means of
connection to a server.  Authentication usually envolves a username-password
such as for FTP-Authentication and HTTP-Basic-Authentication.  Other
authentication mechanisms are possible.</p>
</div>
<div class="section" id="toe-development-and-production">
<h2><a class="toc-backref" href="#id8" name="toe-development-and-production">TOE Development and Production</a></h2>
<p>Only authorised persons can modify the Zope source code.</p>
<p>The official / canonical version of Zope is held by Zope Corporation (ZC) in
the ZC the repository.</p>
<p>The certified version is held as a named branch in the ZC repository.</p>
<p>Open source</p>
<p>All changes to source code and other files in the repository are reported
publically to interested persons including those persons that are responsible
for overseeing the quality and direction of parts of Zope.</p>
<p>Any change to a file in the repository causes that file to have a new version
number and the exact change is recorded.</p>
</div>
<div class="section" id="toe-life-cycle">
<h2><a class="toc-backref" href="#id9" name="toe-life-cycle">TOE Life Cycle</a></h2>
<p>describe releases here</p>
</div>
<div class="section" id="toe-boundaries">
<h2><a class="toc-backref" href="#id10" name="toe-boundaries">TOE Boundaries</a></h2>
<div class="section" id="physical-boundaries">
<h3><a class="toc-backref" href="#id11" name="physical-boundaries">Physical Boundaries</a></h3>
<p>The whole Zope package.</p>
</div>
<div class="section" id="toe-logical-boundaries">
<h3><a class="toc-backref" href="#id12" name="toe-logical-boundaries">TOE Logical Boundaries</a></h3>
<p>Access Control functionality.</p>
<p>Default username-password authentication mechanism.</p>
<p>Publishing mechanism.</p>
</div>
</div>
</div>
<div class="section" id="toe-security-environment">
<h1><a class="toc-backref" href="#id13" name="toe-security-environment">TOE security environment</a></h1>
<div class="section" id="assets">
<h2><a class="toc-backref" href="#id14" name="assets">Assets</a></h2>
<p>The following assets have been identified:</p>
<blockquote>
<table class="table" frame="border" rules="all">
<colgroup>
<col width="28%" />
<col width="72%" />
</colgroup>
<thead valign="bottom">
<tr><th>Asset Name</th>
<th>Description</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>Content-Objects</td>
<td>&nbsp;</td>
</tr>
<tr><td>Operations</td>
<td>&nbsp;</td>
</tr>
<tr><td>Principals</td>
<td>&nbsp;</td>
</tr>
<tr><td>Role grants</td>
<td>&nbsp;</td>
</tr>
<tr><td>Permission grants</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div class="section" id="subjects">
<h2><a class="toc-backref" href="#id15" name="subjects">Subjects</a></h2>
<p>Outside of Zope the &quot;system-administrator&quot; configures the Config-files as an
initial step before the first starting of Zope occurs.</p>
<p>Subjects are instantiated principals.</p>
<p>Principals are represented by a unique ID, credentials and metadata.</p>
<p>Credentials are identification and authentication data like username and
password.</p>
<p>Metadata are related information of the principal, just additional information
to the principal.</p>
<p>The ID is the data the system internally identifies the user.</p>
<p>There are two kinds of principals: The anybody-user and the authenticated user.</p>
<p>If a principal has the permission to grant permissions/roles he can grant
permissions/roles to himself and other principals.</p>
<p>Roles are used in applications of Zope to express the different tasks and
responsibilities of users. Permissions are granted to roles and roles are
granted to principals. Therefore roles serve as an indirect means of granting
permissions to principals. Permissions can also be granted directly to
principals.</p>
<p>Permissions guard operations on objects. A permission has an unique ID.</p>
</div>
<div class="section" id="operations">
<h2><a class="toc-backref" href="#id16" name="operations">Operations</a></h2>
<p>Operations are performed on objects. They are defined in an objects class. A
class is defined in the Python programming language and is identified by a
fully qualified name.</p>
<p>A operation is a name defined in a class. It may take a form of an attribute, a
method or some other related python thing.</p>
<p>There are two possible kinds of access to an operation: Reading such as reading
an attribute or calling a method. Writing such as setting or deleting an
attribute. Reading is guarded with a different permission than writing.</p>
</div>
<div class="section" id="assumptions-about-the-environment">
<h2><a class="toc-backref" href="#id17" name="assumptions-about-the-environment">Assumptions (about the environment)</a></h2>
<p>The following assumptions need to be made about the TOE environment:</p>
<blockquote>
<table class="table" frame="border" rules="all">
<colgroup>
<col width="23%" />
<col width="77%" />
</colgroup>
<thead valign="bottom">
<tr><th>Assumption Name</th>
<th>Description</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>A.OS</td>
<td>The machine and the operating system Zope is
running on is physical secure.</td>
</tr>
<tr><td>A.Admin</td>
<td>The &quot;system-administrator&quot; of the above
mentioned machine is trustworthy.</td>
</tr>
<tr><td>A.Network</td>
<td>A network connection to the Zope services is
present. All The other network connection are
secure in such a way that the integrity of
the machine and operating system is preserved.</td>
</tr>
<tr><td>A.Client</td>
<td>The connection between client and Zope server is
secure in a sense the the identification and
authentication data is not monitored or interfered.</td>
</tr>
<tr><td>A.Credential</td>
<td>The user is keeping the credential to authenticate
secret.</td>
</tr>
<tr><td>A.Integrity</td>
<td>The system is administrated such that the system is
free from malicious software like viruses and
Trojan horses.</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div class="section" id="threats">
<h2><a class="toc-backref" href="#id18" name="threats">Threats</a></h2>
<p>The following threat agents have been identified:</p>
<p>...</p>
<p>The following threats against the assets have been identified:</p>
<blockquote>
<table class="table" frame="border" rules="all">
<colgroup>
<col width="15%" />
<col width="59%" />
<col width="25%" />
</colgroup>
<thead valign="bottom">
<tr><th>Threat</th>
<th>Threat description</th>
<th>Asset</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>T.IA</td>
<td>An attacker might impersonate an authorised
principal without providing the necessary
credentials.</td>
<td>Principal</td>
</tr>
<tr><td>T.PermRole</td>
<td>A principal changes the role grants or
permission grants without having that right.</td>
<td>Permission grants,
Role grants</td>
</tr>
<tr><td>T.Operation</td>
<td>A principal performs an operation on an object
without having the correct permission.</td>
<td>Operation, Object</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div class="section" id="organisational-security-policies">
<h2><a class="toc-backref" href="#id19" name="organisational-security-policies">Organisational security policies</a></h2>
<p>The following OSP have been identified:</p>
<blockquote>
<table class="table" frame="border" rules="all">
<colgroup>
<col width="34%" />
<col width="66%" />
</colgroup>
<thead valign="bottom">
<tr><th>OSP</th>
<th>Description</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>OSP.Source_code_changes</td>
<td>Changes to source code can only be made by
persons who have signed an agreement with Zope
Corporation, Virginia USA. They must preserve a
cryptographic key in order to change code.</td>
</tr>
<tr><td>OSP.Version_numbre</td>
<td>Released versions of Zope cannot be modified.
Any modification would imply a new release
number.</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
</div>
<div class="section" id="security-objectives">
<h1><a class="toc-backref" href="#id20" name="security-objectives">Security Objectives</a></h1>
<div class="section" id="security-objectives-for-the-toe">
<h2><a class="toc-backref" href="#id21" name="security-objectives-for-the-toe">Security objectives for the TOE</a></h2>
<p>The following security objectives have been defined for the TOE:</p>
<blockquote>
<table class="table" frame="border" rules="all">
<colgroup>
<col width="22%" />
<col width="78%" />
</colgroup>
<thead valign="bottom">
<tr><th>Objective Name</th>
<th>Description</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>O.IA</td>
<td>All principals must be identified and authenticated
with the exception of &quot;anybody&quot;-principal.</td>
</tr>
<tr><td>O.Objects</td>
<td>A principal can perform an operation on an object
only if he has the permission.</td>
</tr>
<tr><td>O.Grants</td>
<td>Only principals having the permission to change
permission/role grants can change the
permission/role grants.</td>
</tr>
<tr><td>O.Access</td>
<td>Access to objects is only possible via operations.</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div class="section" id="security-objectives-for-the-environment">
<h2><a class="toc-backref" href="#id22" name="security-objectives-for-the-environment">Security objectives for the environment</a></h2>
<p>The following security objectives have been defined for the TOE environment:</p>
<blockquote>
<table class="table" frame="border" rules="all">
<colgroup>
<col width="21%" />
<col width="79%" />
</colgroup>
<thead valign="bottom">
<tr><th>Assumption Name</th>
<th>Description</th>
</tr>
</thead>
<tbody valign="top">
<tr><td>OE.OS</td>
<td>The machine and the operating system Zope is running
on is physical secure.</td>
</tr>
<tr><td>OE.Admin</td>
<td>The &quot;system-administrator&quot; of the above mentioned
machine is trustworthy.</td>
</tr>
<tr><td>OE.Network</td>
<td>A network connection to the Zope services is present.
All The other network connection are secure in such a
way that the integrity of the machien and operating
system is preserved.</td>
</tr>
<tr><td>OE.Client</td>
<td>The connection between client and Zope server is secure
in a sense the the identification and authentication
data is not monitored or interfered.</td>
</tr>
<tr><td>OE.Credential</td>
<td>The user is keeping the credential to authenticate
secret.</td>
</tr>
<tr><td>OE.Integrity</td>
<td>The system is administrated such that the system is
free from malicious software like viruses and Trojan
horses.</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
</div>
<div class="section" id="security-requirements">
<h1><a class="toc-backref" href="#id23" name="security-requirements">Security requirements</a></h1>
<div class="section" id="toe-security-requirements">
<h2><a class="toc-backref" href="#id24" name="toe-security-requirements">TOE security requirements</a></h2>
<div class="section" id="toe-security-functional-requirements">
<h3><a class="toc-backref" href="#id25" name="toe-security-functional-requirements">TOE security functional requirements</a></h3>
<p>The following functional requirements identify the TOE functional requirements.
They have beend drawn from the CC Part 2 functional requirements components.</p>
<div class="section" id="class-fau-audit-data-generation">
<h4><a class="toc-backref" href="#id26" name="class-fau-audit-data-generation">Class FAU: Audit data generation</a></h4>
<dl>
<dt>FAU_GEN.1 </dt>
<dd>(select: level of detail)</dd>
</dl>
<p>FAU_GEN.2</p>
</div>
<div class="section" id="class-fdp-data-protection">
<h4><a class="toc-backref" href="#id27" name="class-fdp-data-protection">Class FDP: Data protection</a></h4>
<div class="section" id="fdp-acc-2-complete-access-control">
<h5><a class="toc-backref" href="#id28" name="fdp-acc-2-complete-access-control">FDP_ACC.2 Complete access control</a></h5>
<dl>
<dt>FDP_ACC.2.1</dt>
<dd>The TSF shall enforce the [formal security policy] on
[subjects: principals and objects: operations on content objects, role
grants, permission grants] and all operations among subjects and
objects covered by the SFP.</dd>
<dt>FDP_ACC.2.2</dt>
<dd>The TSF shall ensure that all operations between any
subject in the TSC and any object within the TSC are covered by an
access control SFP.</dd>
</dl>
</div>
<div class="section" id="fdp-acf-1">
<h5><a class="toc-backref" href="#id29" name="fdp-acf-1">FDP_ACF.1</a></h5>
<dl>
<dt>FDP_ACF.1.1</dt>
<dd>The TSF shall enforce the [formal security policy] to objects
based on [context, object, operation, principal].</dd>
<dt>FDP_ACF.1.2</dt>
<dd>The TSF shall enforce the following rules to determine
if an operation among controlled subjects and controlled objects is
allowed: [The principal has been granted the required permission to
perform the operation on that object in that context. A special
permission is required to rollback to historical versions of content
objects.]</dd>
<dt>FDP_ACF.1.3</dt>
<dd>The TSF shall explicitly authorise access of subjects to
objects based on the following additional rules:</dd>
<dt>FDP_ACF.1.4</dt>
<dd>The TSF shall explicitly deny access of subjcets to objects
based on the following additional rules: [none]</dd>
</dl>
</div>
<div class="section" id="fdp-etc-2">
<h5><a class="toc-backref" href="#id30" name="fdp-etc-2">FDP_ETC.2</a></h5>
<p>(als standardoperation beschreiben (TOE description), eventueller threat)</p>
</div>
<div class="section" id="fdp-itc-1">
<h5><a class="toc-backref" href="#id31" name="fdp-itc-1">FDP_ITC.1</a></h5>
<p>XXX provide details (data import)</p>
</div>
<div class="section" id="fdp-itc-2">
<h5><a class="toc-backref" href="#id32" name="fdp-itc-2">FDP_ITC.2</a></h5>
<p>XXX provide details (data import)</p>
</div>
<div class="section" id="fdp-rip-1-subset-residual-information-protection">
<h5><a class="toc-backref" href="#id33" name="fdp-rip-1-subset-residual-information-protection">FDP_RIP.1 Subset residual information protection</a></h5>
<dl>
<dt>FDP_RIP.1.1</dt>
<dd>The TSF shall ensure that any previous information content
of a resource is made unavailable upon the [allocation of the resource
to, deallocation of the resource from] the following objects:
[principals, permission grants, role grants, permission definition and
role definition].</dd>
</dl>
</div>
<div class="section" id="fdp-rol-2-transactions-advanced-rollback">
<h5><a class="toc-backref" href="#id34" name="fdp-rol-2-transactions-advanced-rollback">FDP_ROL.2_TRANSACTIONS Advanced Rollback</a></h5>
<dl>
<dt>FDP_ROL.2.1 </dt>
<dd>The TSF shall permit [the rollback of all
operations on all objects].</dd>
<dt>FDP_ROL.2.2 </dt>
<dd>The TSF shall permit operations to be rolled
back [at any time before the transaction in which the operation was
performed is committed].</dd>
</dl>
</div>
<div class="section" id="fdp-rol-1-undo-basic-rollback">
<h5><a class="toc-backref" href="#id35" name="fdp-rol-1-undo-basic-rollback">FDP_ROL.1_UNDO Basic rollback</a></h5>
<dl>
<dt>FDP_ROL.1.1 </dt>
<dd>The TSF shall enforce [formal security policy] to permit
the rollback of the [operations cause changes] on the [content
objects].</dd>
<dt>FDP_ROL.1.2 </dt>
<dd>The TSF shall permit operations to be rolled back
within the [period of time for which the old revisions of the objects
exist].</dd>
</dl>
</div>
</div>
<div class="section" id="class-fia-identification-and-authentication">
<h4><a class="toc-backref" href="#id36" name="class-fia-identification-and-authentication">Class FIA: Identification and authentication</a></h4>
<div class="section" id="fia-atd-1-user-attribute-definition">
<h5><a class="toc-backref" href="#id37" name="fia-atd-1-user-attribute-definition">FIA_ATD.1 User attribute definition</a></h5>
<dl>
<dt>FIA_ATD.1.1 </dt>
<dd>The TSF shall maintain the following list of security
attributes belonging to individual principals [uniqueid, credentials,
role grants, permission grants]</dd>
</dl>
</div>
<div class="section" id="fia-uau-1-timing-of-authentication">
<h5><a class="toc-backref" href="#id38" name="fia-uau-1-timing-of-authentication">FIA_UAU.1 Timing of authentication</a></h5>
<dl>
<dt>FIA_UAU.1.1 </dt>
<dd><p class="first">The TSF shall allow [only those operations granted to the
anonymous principal] on behalf of the user before the [principal] is
authenticated.</p>
<p class="last">[Note: It is possible to deny all operations to the anonymous
principal. This means that a user must login before any actions may
performed on their behalf. This fullfills the terms of FIA_UAU.2]</p>
</dd>
<dt>FIA_UAU.1.2 </dt>
<dd>The TSF shall require each [principal] to be successfully
authenticated before allowing any other TSF-mediated actions on behalf
of that user.</dd>
</dl>
</div>
<div class="section" id="fia-uau-5">
<h5><a class="toc-backref" href="#id39" name="fia-uau-5">FIA.UAU.5</a></h5>
<blockquote>
XXX (basic auth, diget, cookie ... look that up)</blockquote>
</div>
<div class="section" id="fia-uau-6-re-authentication">
<h5><a class="toc-backref" href="#id40" name="fia-uau-6-re-authentication">FIA.UAU.6 Re-authentication</a></h5>
<dl>
<dt>FIA_UAU.6.1 </dt>
<dd>The TSF shall re-authenticate the user under the conditions
[a) that he is trying to perform an action that has been unauthorised and
is offered the opportunity to present other credentials, if it possible
that presenting other credentials may result in authorisation. 
b) If the credentials held by the user agent have expired due to a time 
limit encoded in those credentials. E.g. a cookie held by a web browser].</dd>
</dl>
</div>
<div class="section" id="fia-uid-1">
<h5><a class="toc-backref" href="#id41" name="fia-uid-1">FIA_UID.1</a></h5>
<blockquote>
XXX (copy FIA_UAU.1 here)</blockquote>
</div>
<div class="section" id="fia-usb-1-user-subject-binding">
<h5><a class="toc-backref" href="#id42" name="fia-usb-1-user-subject-binding">FIA_USB.1 User-subject binding</a></h5>
<dl>
<dt>FIA_USB.1.1</dt>
<dd><p class="first">The TSF shall associate the appropriate user security
attributes with subjects acting on behalf of that user.</p>
<p class="last">[Note: This has to do with ownership in the sense of responsibility for
executable code.]</p>
</dd>
</dl>
</div>
<div class="section" id="xxx-nice-to-have">
<h5><a class="toc-backref" href="#id43" name="xxx-nice-to-have">XXX Nice to have:</a></h5>
<blockquote>
<p>This is currently not sure if it is going to be implemented. Ask someone who knows.</p>
<p>FIA_SOS.1
FIA_AFL.1</p>
</blockquote>
</div>
</div>
</div>
</div>
<div class="section" id="toe-security-assurance-requirements">
<h2><a class="toc-backref" href="#id44" name="toe-security-assurance-requirements">TOE security assurance requirements</a></h2>
<p>The Evaluation Assurance Level chosen for this Evaluation is EAL 1.</p>
<p>The following TOE assurance requirements drawn from CC Part 3 are valid:</p>
<blockquote>
<table class="table" frame="border" rules="all">
<colgroup>
<col width="20%" />
<col width="54%" />
<col width="27%" />
</colgroup>
<thead valign="bottom">
<tr><th>Identification</th>
<th>Description</th>
<th>Direct dependencies</th>
</tr>
</thead>
<tbody valign="top">
<tr><td><strong>ACM</strong></td>
<td>Configuration management (CM)</td>
<td>&nbsp;</td>
</tr>
<tr><td>ACM_CAP.1</td>
<td>Version numbers</td>
<td>None</td>
</tr>
<tr><td><strong>ADO</strong></td>
<td>Delivery and Operation</td>
<td>&nbsp;</td>
</tr>
<tr><td>ADO_IGS.1</td>
<td>Installation, generation and start-up</td>
<td>AGD_ADM.1</td>
</tr>
<tr><td><strong>ADV</strong></td>
<td>Development</td>
<td>&nbsp;</td>
</tr>
<tr><td>ADV_FSP.1</td>
<td>Informal Functional specification</td>
<td>ADV_RCR.1</td>
</tr>
<tr><td>ADV_RCR.1</td>
<td>Representation correspondence:
Information correspondence
demonstration</td>
<td>None</td>
</tr>
<tr><td><strong>AGD</strong></td>
<td>Guidance documents</td>
<td>&nbsp;</td>
</tr>
<tr><td>AGD_ADM.1</td>
<td>Administrator guidance</td>
<td>ADV_FSP.1</td>
</tr>
<tr><td>AGD_USR.1</td>
<td>User guidance</td>
<td>ADV_FSP.1</td>
</tr>
<tr><td><strong>ATE</strong></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr><td>ATE_IND.1</td>
<td>Independent testing - conformance</td>
<td>ADV_FSP.1
AGD_ADM.1
AGD_USR.1</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div class="section" id="security-requirements-for-the-it-environment">
<h2><a class="toc-backref" href="#id45" name="security-requirements-for-the-it-environment">Security requirements for the IT environment</a></h2>
<p>The following security requirements exist for the IT environment:</p>
<p>Security requirements for the non-IT environment</p>
<p>TOE security functions</p>
<blockquote>
<p>TSF_AUD Audit</p>
<p>TSF_DATA Data im-/export</p>
<p>TSF_RIP Residual information protection</p>
<p>TSF_IA Identification and authentication</p>
<blockquote>
<em>example</em>
The TSF does not allow any kind of transactions until the principal has
presented his username and password. The length of the password is at
least 6 characters.</blockquote>
<p>TSF_ACC Access control</p>
<p>TSF_ROLL Rollback</p>
</blockquote>
<p>Operating Environment Boundaries:</p>
<blockquote>
Operating System
Python Version
Browsers (Can't assure about browser behaviour)
ZODB Storage</blockquote>
</div>
</div>
<div class="section" id="todo">
<h1><a class="toc-backref" href="#id46" name="todo">TODO</a></h1>
<blockquote>
<ul class="simple">
<li>Bibliographic references</li>
<li>Threat agents</li>
<li>RST table formatting</li>
<li>Put in the rest of the Security Target template from word document</li>
<li>Numbering of sections would be fine</li>
</ul>
</blockquote>
</div>
</div>
</body>
</html>


=== Added File Zope3/doc/security/SecurityTarget.txt ===
===================================
 Zope X3 Security Target for EAL 1
===================================

:Version: $Version$ (Draft)
:Date: $Date: 2003/07/14 21:14:12 $
:Authors: Steve Alexander <steve@catbox.net>, Christian Theune <ct@gocept.com>
:DocumentID: ST_ZOPE_001

.. contents::

$Changes$

ST introduction
===============

ST identification
-----------------

:Document Title: Zope X3, Security target

:Document ID: ST_ZOPE_001

:Document Version: $Version$

:Origin: 

:TOE Reference: Zope X3

:TOE Commercial Name: Zope X3

:TOE Short Description: Platform independent, Python, XXX feature article from zope.org

:Product Type: Web Application Server

:Evaluation Body: Evaluation Body of TUV Informationstechnik GmbH, Germany

:Certification Body: Certification Body of TUV Informationstechnik GmbH, Germany

This ST is based upon Common Criteria, Version 2.1 ([CC]).
The TOE consists of the following component:

    ===========     ==========  ================
    Component       Version     Supplier
    ===========     ==========  ================
    Zope            X3          Zope Corporation
    ===========     ==========  ================

ST overview
-----------

The main objectives of this Security Target are:

    *   To describe the Target of Evaluation (TOE).

    *   To describe the security environment of the TOE including the assets to
        be protected and the threats to be countered by the TOE and its
        environment.

    *   To describe the security objectives of the TOE and its supporting
        environment.
    
    *   To specify the Security Requirements, which include the TOE security
        functional requirements as of CC, part 2 and the assurance requirements as
        of CC, part 3.
    
    *   To set up the TOE summary specification, which includes the TOE
        security functions specifications and the assurance measures.

ISO/IEC 15408 (CC) Conformance
------------------------------

This ST is claimed to be conformant with the ISO/IEC 15408:1999 (Common
Criteria, Version 2.1 with final interpretations, see [CC]) and its following
parts:

    *   Part 2 and
    
    *   Part 3, EAL1.
    
The assurance level is EAL 1.

TOE description
===============

Overview
--------

For b uilding Web application, framework, ...
Functionality should be provided, main structure

TOE definition
--------------

Product type: Web application server software that provides functionality for
restricting operations on objects based on permissions declared to protect
those operations. 

Principals are granted permissions both statically via configuration files and
dynamically via settings in the object database.  

You can use roles to mediate between principals and permissions. 

Principals are authenticated in various way depending on the means of
connection to a server.  Authentication usually envolves a username-password
such as for FTP-Authentication and HTTP-Basic-Authentication.  Other
authentication mechanisms are possible.

TOE Development and Production
------------------------------

Only authorised persons can modify the Zope source code.

The official / canonical version of Zope is held by Zope Corporation (ZC) in
the ZC the repository.

The certified version is held as a named branch in the ZC repository.

Open source

All changes to source code and other files in the repository are reported
publically to interested persons including those persons that are responsible
for overseeing the quality and direction of parts of Zope.

Any change to a file in the repository causes that file to have a new version
number and the exact change is recorded.

TOE Life Cycle
--------------

describe releases here

TOE Boundaries
--------------

Physical Boundaries
^^^^^^^^^^^^^^^^^^^

The whole Zope package.

TOE Logical Boundaries
^^^^^^^^^^^^^^^^^^^^^^

Access Control functionality.

Default username-password authentication mechanism.

Publishing mechanism.

TOE security environment
========================

Assets
------

The following assets have been identified:

    =================   ===========================================
    Asset Name          Description                 
    =================   ===========================================
    Content-Objects
    Operations
    Principals
    Role grants
    Permission grants
    =================   ===========================================

Subjects
--------

Outside of Zope the "system-administrator" configures the Config-files as an
initial step before the first starting of Zope occurs.

Subjects are instantiated principals.

Principals are represented by a unique ID, credentials and metadata.

Credentials are identification and authentication data like username and
password.

Metadata are related information of the principal, just additional information
to the principal.

The ID is the data the system internally identifies the user.

There are two kinds of principals: The anybody-user and the authenticated user.

If a principal has the permission to grant permissions/roles he can grant
permissions/roles to himself and other principals.

Roles are used in applications of Zope to express the different tasks and
responsibilities of users. Permissions are granted to roles and roles are
granted to principals. Therefore roles serve as an indirect means of granting
permissions to principals. Permissions can also be granted directly to
principals. 

Permissions guard operations on objects. A permission has an unique ID.

Operations
----------

Operations are performed on objects. They are defined in an objects class. A
class is defined in the Python programming language and is identified by a
fully qualified name.

A operation is a name defined in a class. It may take a form of an attribute, a
method or some other related python thing.

There are two possible kinds of access to an operation: Reading such as reading
an attribute or calling a method. Writing such as setting or deleting an
attribute. Reading is guarded with a different permission than writing.  

Assumptions (about the environment)
-----------------------------------

The following assumptions need to be made about the TOE environment:

    ===============     ==================================================
    Assumption Name     Description
    ===============     ==================================================
    A.OS                The machine and the operating system Zope is 
                        running on is physical secure.
    A.Admin             The "system-administrator" of the above 
                        mentioned machine is trustworthy.
    A.Network           A network connection to the Zope services is 
                        present. All The other network connection are 
                        secure in such a way that the integrity of 
                        the machine and operating system is preserved.
    A.Client            The connection between client and Zope server is 
                        secure in a sense the the identification and 
                        authentication data is not monitored or interfered.
    A.Credential        The user is keeping the credential to authenticate 
                        secret.
    A.Integrity         The system is administrated such that the system is 
                        free from malicious software like viruses and 
                        Trojan horses.
    ===============     ==================================================

Threats
-------

The following threat agents have been identified:

...

The following threats against the assets have been identified:

    ============    ===============================================     ====================
    Threat          Threat description                                  Asset
    ============    ===============================================     ====================
    T.IA            An attacker might impersonate an authorised         Principal
                    principal without providing the necessary 
                    credentials.              
    T.PermRole      A principal changes the role grants or              Permission grants,
                    permission grants without having that right.        Role grants
    T.Operation     A principal performs an operation on an object      Operation, Object
                    without having the correct permission.               
    ============    ===============================================     ====================

Organisational security policies
--------------------------------

The following OSP have been identified:

    ========================    ===============================================
    OSP                         Description
    ========================    ===============================================
    OSP.Source_code_changes     Changes to source code can only be made by 
                                persons who have signed an agreement with Zope 
                                Corporation, Virginia USA. They must preserve a 
                                cryptographic key in order to change code.
    OSP.Version_numbre          Released versions of Zope cannot be modified. 
                                Any modification would imply a new release 
                                number.
    ========================    ===============================================

Security Objectives
===================

Security objectives for the TOE
-------------------------------

The following security objectives have been defined for the TOE:

    ==============          ===================================================
    Objective Name          Description
    ==============          ===================================================
    O.IA                    All principals must be identified and authenticated
                            with the exception of "anybody"-principal.
    O.Objects               A principal can perform an operation on an object 
                            only if he has the permission.
    O.Grants                Only principals having the permission to change 
                            permission/role grants can change the 
                            permission/role grants.
    O.Access                Access to objects is only possible via operations.
    ==============          ===================================================

Security objectives for the environment
---------------------------------------

The following security objectives have been defined for the TOE environment:


    ===============     =======================================================
    Assumption Name     Description
    ===============     =======================================================
    OE.OS               The machine and the operating system Zope is running 
                        on is physical secure.
    OE.Admin            The "system-administrator" of the above mentioned 
                        machine is trustworthy.
    OE.Network          A network connection to the Zope services is present. 
                        All The other network connection are secure in such a 
                        way that the integrity of the machien and operating 
                        system is preserved.
    OE.Client           The connection between client and Zope server is secure 
                        in a sense the the identification and authentication 
                        data is not monitored or interfered.
    OE.Credential       The user is keeping the credential to authenticate 
                        secret.
    OE.Integrity        The system is administrated such that the system is 
                        free from malicious software like viruses and Trojan 
                        horses.
    ===============     =======================================================

Security requirements
=====================

TOE security requirements
-------------------------

TOE security functional requirements
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The following functional requirements identify the TOE functional requirements.
They have beend drawn from the CC Part 2 functional requirements components.

Class FAU: Audit data generation
********************************

FAU_GEN.1 
    (select: level of detail)
    
FAU_GEN.2

Class FDP: Data protection
***************************

FDP_ACC.2 Complete access control
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FDP_ACC.2.1
    The TSF shall enforce the [formal security policy] on
    [subjects: principals and objects: operations on content objects, role
    grants, permission grants] and all operations among subjects and
    objects covered by the SFP.

FDP_ACC.2.2
    The TSF shall ensure that all operations between any
    subject in the TSC and any object within the TSC are covered by an
    access control SFP.

FDP_ACF.1 
~~~~~~~~~

FDP_ACF.1.1
    The TSF shall enforce the [formal security policy] to objects
    based on [context, object, operation, principal].

FDP_ACF.1.2
    The TSF shall enforce the following rules to determine
    if an operation among controlled subjects and controlled objects is
    allowed: [The principal has been granted the required permission to
    perform the operation on that object in that context. A special
    permission is required to rollback to historical versions of content
    objects.]

FDP_ACF.1.3
    The TSF shall explicitly authorise access of subjects to
    objects based on the following additional rules: 

FDP_ACF.1.4
    The TSF shall explicitly deny access of subjcets to objects
    based on the following additional rules: [none]

FDP_ETC.2
~~~~~~~~~
         
(als standardoperation beschreiben (TOE description), eventueller threat)
    
FDP_ITC.1
~~~~~~~~~

XXX provide details (data import)

FDP_ITC.2
~~~~~~~~~

XXX provide details (data import)
    
FDP_RIP.1 Subset residual information protection
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
FDP_RIP.1.1
    The TSF shall ensure that any previous information content
    of a resource is made unavailable upon the [allocation of the resource
    to, deallocation of the resource from] the following objects:
    [principals, permission grants, role grants, permission definition and
    role definition].

FDP_ROL.2_TRANSACTIONS Advanced Rollback
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FDP_ROL.2.1 
    The TSF shall permit [the rollback of all
    operations on all objects].

FDP_ROL.2.2 
    The TSF shall permit operations to be rolled
    back [at any time before the transaction in which the operation was
    performed is committed].

FDP_ROL.1_UNDO Basic rollback 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FDP_ROL.1.1 
    The TSF shall enforce [formal security policy] to permit
    the rollback of the [operations cause changes] on the [content
    objects].

FDP_ROL.1.2 
    The TSF shall permit operations to be rolled back
    within the [period of time for which the old revisions of the objects
    exist].

Class FIA: Identification and authentication
********************************************

FIA_ATD.1 User attribute definition
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FIA_ATD.1.1 
    The TSF shall maintain the following list of security
    attributes belonging to individual principals [uniqueid, credentials,
    role grants, permission grants]

FIA_UAU.1 Timing of authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FIA_UAU.1.1 
    The TSF shall allow [only those operations granted to the
    anonymous principal] on behalf of the user before the [principal] is
    authenticated.

    [Note: It is possible to deny all operations to the anonymous
    principal. This means that a user must login before any actions may
    performed on their behalf. This fullfills the terms of FIA_UAU.2]

FIA_UAU.1.2 
    The TSF shall require each [principal] to be successfully
    authenticated before allowing any other TSF-mediated actions on behalf
    of that user.

FIA.UAU.5
~~~~~~~~~

    XXX (basic auth, diget, cookie ... look that up)
    
FIA.UAU.6 Re-authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~

FIA_UAU.6.1 
    The TSF shall re-authenticate the user under the conditions
    [a) that he is trying to perform an action that has been unauthorised and
    is offered the opportunity to present other credentials, if it possible
    that presenting other credentials may result in authorisation. 
    b) If the credentials held by the user agent have expired due to a time 
    limit encoded in those credentials. E.g. a cookie held by a web browser].

FIA_UID.1
~~~~~~~~~

 XXX (copy FIA_UAU.1 here)

FIA_USB.1 User-subject binding
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
FIA_USB.1.1
    The TSF shall associate the appropriate user security
    attributes with subjects acting on behalf of that user.

    [Note: This has to do with ownership in the sense of responsibility for
    executable code.]

XXX Nice to have:
~~~~~~~~~~~~~~~~~

    This is currently not sure if it is going to be implemented. Ask someone who knows.

    FIA_SOS.1
    FIA_AFL.1

TOE security assurance requirements
-----------------------------------

The Evaluation Assurance Level chosen for this Evaluation is EAL 1.

The following TOE assurance requirements drawn from CC Part 3 are valid:

    ==============          ======================================  ===================
    Identification          Description                             Direct dependencies
    ==============          ======================================  ===================
    **ACM**                 Configuration management (CM)   
        ACM_CAP.1           Version numbers                         None
    **ADO**                 Delivery and Operation          
        ADO_IGS.1           Installation, generation and start-up   AGD_ADM.1
    **ADV**                 Development
        ADV_FSP.1           Informal Functional specification       ADV_RCR.1
        ADV_RCR.1           Representation correspondence:          None
                            Information correspondence 
                            demonstration         
    **AGD**                 Guidance documents
        AGD_ADM.1           Administrator guidance                  ADV_FSP.1
        AGD_USR.1           User guidance                           ADV_FSP.1
    **ATE**
        ATE_IND.1           Independent testing - conformance       ADV_FSP.1
                                                                    AGD_ADM.1
                                                                    AGD_USR.1
    ==============          ======================================  ===================

Security requirements for the IT environment
--------------------------------------------

The following security requirements exist for the IT environment:

Security requirements for the non-IT environment


TOE security functions

    TSF_AUD Audit

    TSF_DATA Data im-/export

    TSF_RIP Residual information protection

    TSF_IA Identification and authentication

        *example*
        The TSF does not allow any kind of transactions until the principal has
        presented his username and password. The length of the password is at
        least 6 characters.

    TSF_ACC Access control

    TSF_ROLL Rollback



Operating Environment Boundaries:

    Operating System
    Python Version
    Browsers (Can't assure about browser behaviour)
    ZODB Storage


TODO
====

    *   Bibliographic references

    *   Threat agents

    *   RST table formatting

    *   Put in the rest of the Security Target template from word document

    *   Numbering of sections would be fine


=== Added File Zope3/doc/security/default.css ===
/*
:Author: David Goodger
:Author: Christian Theune
:Contact: ct@gocept.com
:date: $Date: 2003/07/14 21:14:12 $
:version: $Revision: 1.1 $
:copyright: This stylesheet has been placed in the public domain.

Default cascading style sheet for the HTML output of Docutils including
modifications for the Zope X3 evaluation documentation.
*/

body {
    font-family: Verdana, sans-serif;
    max-width: 50em;
    }

.first {
  margin-top: 0 }

.last {
  margin-bottom: 0 }

a.toc-backref {
  text-decoration: none ;
  color: black }

dd {
  margin-bottom: 0.5em }

div.abstract {
  margin: 2em 5em }

div.abstract p.topic-title {
  font-weight: bold ;
  text-align: center }

div.attention, div.caution, div.danger, div.error, div.hint,
div.important, div.note, div.tip, div.warning {
  margin: 2em ;
  border: medium outset ;
  padding: 1em }

div.attention p.admonition-title, div.caution p.admonition-title,
div.danger p.admonition-title, div.error p.admonition-title,
div.warning p.admonition-title {
  color: red ;
  font-weight: bold ;
  font-family: sans-serif }

div.hint p.admonition-title, div.important p.admonition-title,
div.note p.admonition-title, div.tip p.admonition-title {
  font-weight: bold ;
  font-family: sans-serif }

div.dedication {
  margin: 2em 5em ;
  text-align: center ;
  font-style: italic }

div.dedication p.topic-title {
  font-weight: bold ;
  font-style: normal }

div.figure {
  margin-left: 2em }

div.footer, div.header {
  font-size: smaller }

div.sidebar {
  margin-left: 1em ;
  border: medium outset ;
  padding: 0em 1em ;
  background-color: #ffffee ;
  width: 40% ;
  float: right }

div.system-messages {
  margin: 5em }

div.system-messages h1 {
  color: red }

div.system-message {
  border: medium outset ;
  padding: 1em }

div.system-message p.system-message-title {
  color: red ;
  font-weight: bold }

div.topic {
  margin: 2em }

h1.title {
  text-align: center }

h2.subtitle {
  text-align: center }

hr {
  width: 75% }

ol.simple, ul.simple {
  margin-bottom: 1em }

ol.arabic {
  list-style: decimal }

ol.loweralpha {
  list-style: lower-alpha }

ol.upperalpha {
  list-style: upper-alpha }

ol.lowerroman {
  list-style: lower-roman }

ol.upperroman {
  list-style: upper-roman }

p.caption {
  font-style: italic }

p.credits {
  font-style: italic ;
  font-size: smaller }

p.label {
  white-space: nowrap }

p.sidebar-title {
  font-family: sans-serif ;
  font-weight: bold ;
  font-size: larger }

p.sidebar-subtitle {
  font-family: sans-serif ;
  font-weight: bold }

p.topic-title {
  font-weight: bold }

pre.address {
  margin-bottom: 0 ;
  margin-top: 0 ;
  font-family: serif ;
  font-size: 100% }

pre.line-block {
  font-family: serif ;
  font-size: 100% }

pre.literal-block, pre.doctest-block {
  margin-left: 2em ;
  margin-right: 2em ;
  background-color: #eeeeee }

span.classifier {
  font-family: sans-serif ;
  font-style: oblique }

span.classifier-delimiter {
  font-family: sans-serif ;
  font-weight: bold }

span.interpreted {
  font-family: sans-serif }

span.option {
  white-space: nowrap }

span.option-argument {
  font-style: italic }

span.pre {
  white-space: pre }

span.problematic {
  color: red }

table {
  margin-top: 0.5em ;
  margin-bottom: 0.5em }

table.citation {
  border-left: solid thin gray ;
  padding-left: 0.5ex }

table.docinfo {
  margin: 2em 4em }

table.footnote {
  border-left: solid thin black ;
  padding-left: 0.5ex }

td, th {
  padding-left: 0.5em ;
  padding-right: 0.5em ;
  vertical-align: top }

thead th {
  background-color: #CCCCCC;
  }
th.docinfo-name, th.field-name {
  font-weight: bold ;
  text-align: left ;
  white-space: nowrap;
  }

h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt {
  font-size: 100% }

tt {
  background-color: #eeeeee }

ul.auto-toc {
  list-style-type: none }

li {
    margin-bottom:1em;
    }


=== Added File Zope3/doc/security/security.ssd ===
Storage 
{
	{ Format 1.33 }
	{ GeneratedFrom TSSD-version-2.20 }
	{ WrittenBy ctheune }
	{ WrittenOn "" }
}

Document 
{
	{ Type "Static Structure Diagram" }
	{ Name security.ssd }
	{ Author ctheune }
	{ CreatedOn "" }
	{ Annotation "" }
	{ Hierarchy False }
}

Page 
{
	{ PageOrientation Portrait }
	{ PageSize A4 }
	{ ShowHeaders False }
	{ ShowFooters False }
	{ ShowNumbers False }
}

Scale 
{
	{ ScaleValue 1.44 }
}

# GRAPH NODES

SSDClassNode 1
{
	{ Name "Principal" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 2
{
	{ Name "Object" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 3
{
	{ Name "Role" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 4
{
	{ Name "Permission" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 5
{
	{ Name "Operation" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 6
{
	{ Name "Class" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 7
{
	{ Name "Authentication\rService" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 8
{
	{ Name "Operation\rImplementation" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 9
{
	{ Name "Permission\rService" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 10
{
	{ Name "RoleService" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 11
{
	{ Name "Principal\rPermission\rMapping" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 12
{
	{ Name "Principal\rRole\rMapping" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

Note 13
{
	{ Name "different\rLocations" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
}

SSDClassNode 56
{
	{ Name "Role\rPermission\rMapping" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

# GRAPH EDGES

SSDAggregationEdge 14
{
	{ Name "" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 1 }
	{ Subject2 7 }
	{ Constraint1 "*" }
	{ Constraint2 "1" }
	{ RoleName1 "" }
	{ RoleName2 "" }
}

SSDBinaryAssociationEdge 15
{
	{ Name "" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 2 }
	{ Subject2 6 }
	{ Constraint1 "*" }
	{ Constraint2 "1" }
	{ RoleName1 "" }
	{ RoleName2 "" }
}

SSDBinaryAssociationEdge 16
{
	{ Name "provides" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 5 }
	{ Subject2 2 }
	{ Constraint1 "*" }
	{ Constraint2 "1" }
	{ RoleName1 "" }
	{ RoleName2 "" }
}

SSDBinaryAssociationEdge 17
{
	{ Name "implements" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 6 }
	{ Subject2 8 }
	{ Constraint1 "1" }
	{ Constraint2 "*" }
	{ RoleName1 "" }
	{ RoleName2 "" }
}

SSDBinaryAssociationEdge 18
{
	{ Name "" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 8 }
	{ Subject2 5 }
	{ Constraint1 "1" }
	{ Constraint2 "*" }
	{ RoleName1 "" }
	{ RoleName2 "" }
}

SSDBinaryAssociationEdge 19
{
	{ Name "guards" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 4 }
	{ Subject2 8 }
	{ Constraint1 "1" }
	{ Constraint2 "*" }
	{ RoleName1 "" }
	{ RoleName2 "" }
}

SSDAggregationEdge 20
{
	{ Name "" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 3 }
	{ Subject2 10 }
	{ Constraint1 "*" }
	{ Constraint2 "" }
	{ RoleName1 "" }
	{ RoleName2 "" }
}

SSDAggregationEdge 21
{
	{ Name "" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 4 }
	{ Subject2 9 }
	{ Constraint1 "*" }
	{ Constraint2 "" }
	{ RoleName1 "" }
	{ RoleName2 "" }
}

SSDBinaryAssociationEdge 22
{
	{ Name "" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 11 }
	{ Subject2 4 }
	{ Constraint1 "*" }
	{ Constraint2 "*" }
	{ RoleName1 "" }
	{ RoleName2 "" }
}

SSDBinaryAssociationEdge 23
{
	{ Name "" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 11 }
	{ Subject2 1 }
	{ Constraint1 "*" }
	{ Constraint2 "*" }
	{ RoleName1 "" }
	{ RoleName2 "" }
}

SSDBinaryAssociationEdge 24
{
	{ Name "" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 12 }
	{ Subject2 1 }
	{ Constraint1 "*" }
	{ Constraint2 "*" }
	{ RoleName1 "" }
	{ RoleName2 "" }
}

SSDBinaryAssociationEdge 25
{
	{ Name "" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 12 }
	{ Subject2 3 }
	{ Constraint1 "*" }
	{ Constraint2 "*" }
	{ RoleName1 "" }
	{ RoleName2 "" }
}

CommentLink 26
{
	{ Name "" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 13 }
	{ Subject2 11 }
}

CommentLink 27
{
	{ Name "" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 12 }
	{ Subject2 13 }
}

CommentLink 57
{
	{ Name "" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 13 }
	{ Subject2 56 }
}

SSDBinaryAssociationEdge 58
{
	{ Name "" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 3 }
	{ Subject2 56 }
	{ Constraint1 "*" }
	{ Constraint2 "*" }
	{ RoleName1 "" }
	{ RoleName2 "" }
}

SSDBinaryAssociationEdge 59
{
	{ Name "" }
	{ Annotation "" }
	{ Parent 0 }
	{ Subject1 56 }
	{ Subject2 4 }
	{ Constraint1 "*" }
	{ Constraint2 "*" }
	{ RoleName1 "" }
	{ RoleName2 "" }
}

# VIEWS AND GRAPHICAL SHAPES

View 28
{
	{ Index "0" }
	{ Parent 0 }
}

SSDSingleClassBox 29
{
	{ View 28 }
	{ Subject 1 }
	{ Position 110 280 }
	{ Size 91 45 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

SSDSingleClassBox 30
{
	{ View 28 }
	{ Subject 2 }
	{ Position 290 530 }
	{ Size 80 45 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

SSDSingleClassBox 31
{
	{ View 28 }
	{ Subject 3 }
	{ Position 330 110 }
	{ Size 80 45 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

SSDSingleClassBox 32
{
	{ View 28 }
	{ Subject 4 }
	{ Position 550 280 }
	{ Size 100 45 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

SSDSingleClassBox 33
{
	{ View 28 }
	{ Subject 5 }
	{ Position 550 530 }
	{ Size 91 45 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

SSDSingleClassBox 34
{
	{ View 28 }
	{ Subject 6 }
	{ Position 290 400 }
	{ Size 80 45 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

SSDSingleClassBox 35
{
	{ View 28 }
	{ Subject 7 }
	{ Position 110 380 }
	{ Size 199 45 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

C2R2Line 36
{
	{ View 28 }
	{ Subject 14 }
	{ FromShape 29 }
	{ ToShape 35 }
	{ Curved False }
	{ End1 Empty }
	{ End2 WhiteDiamond }
	{ Points 2 }
	{ Point 110 303 }
	{ Point 110 358 }
	{ NamePosition 96 330 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName True }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 124 313 }
	{ T2Position 124 348 }
	{ T3Position 96 313 }
	{ T4Position 96 348 }
	{ NameDirection None }
}

C2R2Line 37
{
	{ View 28 }
	{ Subject 15 }
	{ FromShape 30 }
	{ ToShape 34 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 290 508 }
	{ Point 290 423 }
	{ NamePosition 276 465 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 304 498 }
	{ T2Position 304 433 }
	{ T3Position 276 498 }
	{ T4Position 276 433 }
	{ NameDirection None }
}

C2R2Line 38
{
	{ View 28 }
	{ Subject 16 }
	{ FromShape 33 }
	{ ToShape 30 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 505 530 }
	{ Point 330 530 }
	{ NamePosition 417 520 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 484 540 }
	{ T2Position 351 540 }
	{ T3Position 484 520 }
	{ T4Position 351 520 }
	{ NameDirection None }
}

SSDSingleClassBox 39
{
	{ View 28 }
	{ Subject 8 }
	{ Position 550 400 }
	{ Size 126 42 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

C2R2Line 40
{
	{ View 28 }
	{ Subject 17 }
	{ FromShape 34 }
	{ ToShape 39 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 330 400 }
	{ Point 487 400 }
	{ NamePosition 408 390 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 349 410 }
	{ T2Position 468 410 }
	{ T3Position 349 390 }
	{ T4Position 468 390 }
	{ NameDirection None }
}

C2R2Line 41
{
	{ View 28 }
	{ Subject 18 }
	{ FromShape 39 }
	{ ToShape 33 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 550 421 }
	{ Point 550 508 }
	{ NamePosition 536 464 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 564 431 }
	{ T2Position 564 498 }
	{ T3Position 536 431 }
	{ T4Position 536 498 }
	{ NameDirection None }
}

C2R2Line 42
{
	{ View 28 }
	{ Subject 19 }
	{ FromShape 32 }
	{ ToShape 39 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 550 303 }
	{ Point 550 379 }
	{ NamePosition 536 341 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 564 313 }
	{ T2Position 564 369 }
	{ T3Position 536 313 }
	{ T4Position 536 369 }
	{ NameDirection None }
}

SSDSingleClassBox 43
{
	{ View 28 }
	{ Subject 9 }
	{ Position 720 280 }
	{ Size 101 42 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

SSDSingleClassBox 44
{
	{ View 28 }
	{ Subject 10 }
	{ Position 330 30 }
	{ Size 101 42 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

C2R2Line 45
{
	{ View 28 }
	{ Subject 20 }
	{ FromShape 31 }
	{ ToShape 44 }
	{ Curved False }
	{ End1 Empty }
	{ End2 WhiteDiamond }
	{ Points 2 }
	{ Point 330 88 }
	{ Point 330 51 }
	{ NamePosition 316 69 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName True }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 344 78 }
	{ T2Position 344 61 }
	{ T3Position 316 78 }
	{ T4Position 316 61 }
	{ NameDirection None }
}

C2R2Line 46
{
	{ View 28 }
	{ Subject 21 }
	{ FromShape 32 }
	{ ToShape 43 }
	{ Curved False }
	{ End1 Empty }
	{ End2 WhiteDiamond }
	{ Points 2 }
	{ Point 600 280 }
	{ Point 670 280 }
	{ NamePosition 635 270 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName True }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 610 290 }
	{ T2Position 660 290 }
	{ T3Position 610 270 }
	{ T4Position 660 270 }
	{ NameDirection None }
}

SSDSingleClassBox 47
{
	{ View 28 }
	{ Subject 11 }
	{ Position 340 280 }
	{ Size 101 56 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

C2R2Line 48
{
	{ View 28 }
	{ Subject 22 }
	{ FromShape 47 }
	{ ToShape 32 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 391 280 }
	{ Point 500 280 }
	{ NamePosition 445 270 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 404 290 }
	{ T2Position 487 290 }
	{ T3Position 404 270 }
	{ T4Position 487 270 }
	{ NameDirection None }
}

C2R2Line 49
{
	{ View 28 }
	{ Subject 23 }
	{ FromShape 47 }
	{ ToShape 29 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 290 280 }
	{ Point 156 280 }
	{ NamePosition 223 270 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 274 290 }
	{ T2Position 172 290 }
	{ T3Position 274 270 }
	{ T4Position 172 270 }
	{ NameDirection None }
}

SSDSingleClassBox 50
{
	{ View 28 }
	{ Subject 12 }
	{ Position 110 110 }
	{ Size 93 56 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

C2R2Line 51
{
	{ View 28 }
	{ Subject 24 }
	{ FromShape 50 }
	{ ToShape 29 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 110 138 }
	{ Point 110 258 }
	{ NamePosition 96 198 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 124 153 }
	{ T2Position 124 243 }
	{ T3Position 96 153 }
	{ T4Position 96 243 }
	{ NameDirection None }
}

C2R2Line 52
{
	{ View 28 }
	{ Subject 25 }
	{ FromShape 50 }
	{ ToShape 31 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 157 110 }
	{ Point 290 110 }
	{ NamePosition 223 100 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 173 120 }
	{ T2Position 274 120 }
	{ T3Position 173 100 }
	{ T4Position 274 100 }
	{ NameDirection None }
}

NoteBox 53
{
	{ View 28 }
	{ Subject 13 }
	{ Position 330 190 }
	{ Size 97 40 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
}

Line 54
{
	{ View 28 }
	{ Subject 26 }
	{ FromShape 53 }
	{ ToShape 47 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 332 210 }
	{ Point 337 252 }
	{ NamePosition 347 230 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle WideDotted }
	{ FixedName True }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
}

Line 55
{
	{ View 28 }
	{ Subject 27 }
	{ FromShape 50 }
	{ ToShape 53 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 157 127 }
	{ Point 282 172 }
	{ NamePosition 223 140 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle WideDotted }
	{ FixedName True }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
}

SSDSingleClassBox 60
{
	{ View 28 }
	{ Subject 56 }
	{ Position 550 110 }
	{ Size 101 56 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

Line 61
{
	{ View 28 }
	{ Subject 57 }
	{ FromShape 53 }
	{ ToShape 60 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 373 174 }
	{ Point 500 128 }
	{ NamePosition 432 142 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle WideDotted }
	{ FixedName True }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
}

C2R2Line 62
{
	{ View 28 }
	{ Subject 58 }
	{ FromShape 31 }
	{ ToShape 60 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 370 110 }
	{ Point 500 110 }
	{ NamePosition 435 100 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 386 120 }
	{ T2Position 484 120 }
	{ T3Position 386 100 }
	{ T4Position 484 100 }
	{ NameDirection None }
}

C2R2Line 63
{
	{ View 28 }
	{ Subject 59 }
	{ FromShape 60 }
	{ ToShape 32 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 550 138 }
	{ Point 550 258 }
	{ NamePosition 536 198 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 564 153 }
	{ T2Position 564 243 }
	{ T3Position 536 153 }
	{ T4Position 536 243 }
	{ NameDirection None }
}



=== Added File Zope3/doc/security/security_extended.ssd === (1262/1662 lines abridged)
Storage 
{
	{ Format 1.33 }
	{ GeneratedFrom TSSD-version-2.20 }
	{ WrittenBy ctheune }
	{ WrittenOn "" }
}

Document 
{
	{ Type "Static Structure Diagram" }
	{ Name security_extended.ssd }
	{ Author ctheune }
	{ CreatedOn "" }
	{ Annotation "" }
	{ Hierarchy False }
}

Page 
{
	{ PageOrientation Portrait }
	{ PageSize A4 }
	{ ShowHeaders False }
	{ ShowFooters False }
	{ ShowNumbers False }
}

Scale 
{
	{ ScaleValue 1.44 }
}

# GRAPH NODES

SSDClassNode 1
{
	{ Name "Principal" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 2
{
	{ Name "Object" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 3
{
	{ Name "Role" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 4
{
	{ Name "Permission" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 5
{
	{ Name "Operation" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 6
{
	{ Name "Class" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 7
{
	{ Name "Authentication\rService" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 8
{
	{ Name "Operation\rImplementation" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 9
{
	{ Name "Permission\rService" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 10
{
	{ Name "RoleService" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 11
{
	{ Name "Principal\rPermission\rGrants" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 12
{
	{ Name "Principal\rRole\rGrants" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

Note 13
{
	{ Name "different\rLocations" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
}

SSDClassNode 56
{
	{ Name "Role\rPermission\rGrants" }
	{ Annotation "" }
	{ Parent 0 }
	{ Index "" }
	{ Attributes 0 }
	{ Operations 0 }
	{ Stereotype "<< - >>" }
	{ Properties "{ - }" }
}

SSDClassNode 64
{

[-=- -=- -=- 1262 lines omitted -=- -=- -=-]

	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 475 450 }
	{ T2Position 631 440 }
	{ T3Position 475 430 }
	{ T4Position 623 422 }
	{ NameDirection None }
}

SSDSingleClassBox 85
{
	{ View 28 }
	{ Subject 66 }
	{ Position 630 530 }
	{ Size 80 45 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

C2R2Line 86
{
	{ View 28 }
	{ Subject 74 }
	{ FromShape 78 }
	{ ToShape 85 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 460 465 }
	{ Point 590 515 }
	{ NamePosition 530 481 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 471 480 }
	{ T2Position 569 518 }
	{ T3Position 481 462 }
	{ T4Position 579 500 }
	{ NameDirection None }
}

SSDSingleClassBox 87
{
	{ View 28 }
	{ Subject 67 }
	{ Position 630 590 }
	{ Size 80 45 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

C2R2Line 88
{
	{ View 28 }
	{ Subject 75 }
	{ FromShape 85 }
	{ ToShape 87 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 630 553 }
	{ Point 630 568 }
	{ NamePosition 616 560 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 644 563 }
	{ T2Position 644 558 }
	{ T3Position 616 563 }
	{ T4Position 616 558 }
	{ NameDirection None }
}

NoteBox 89
{
	{ View 28 }
	{ Subject 68 }
	{ Position 800 500 }
	{ Size 147 40 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
}

Line 90
{
	{ View 28 }
	{ Subject 76 }
	{ FromShape 85 }
	{ ToShape 89 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 670 523 }
	{ Point 727 513 }
	{ NamePosition 696 509 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle WideDotted }
	{ FixedName True }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
}

SSDSingleClassBox 82
{
	{ View 28 }
	{ Subject 69 }
	{ Position 280 530 }
	{ Size 80 45 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FillStyle Unfilled }
	{ FillColor "white" }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ ShowStereotype False }
	{ ShowProperties False }
}

C2R2Line 91
{
	{ View 28 }
	{ Subject 77 }
	{ FromShape 82 }
	{ ToShape 80 }
	{ Curved False }
	{ End1 Empty }
	{ End2 Empty }
	{ Points 2 }
	{ Point 320 530 }
	{ Point 380 530 }
	{ NamePosition 350 520 }
	{ Color "black" }
	{ LineWidth 1 }
	{ LineStyle Solid }
	{ FixedName False }
	{ Font "-*-courier-medium-r-normal--10*" }
	{ TextAlignment Center }
	{ TextColor "black" }
	{ NameUnderlined False }
	{ T1Position 330 540 }
	{ T2Position 370 540 }
	{ T3Position 330 520 }
	{ T4Position 370 520 }
	{ NameDirection None }
}


=== Removed File Zope3/doc/security/ASE.txt ===