Device Class 1: Unlinkability

Control ID: ISO FPR_UNL.1 Unlinkability Family: Privacy Source: ISO 15408-2
Control: The organization and information system shall ensure that [Assignment: set of users and/or subjects] are unable to determine whether [Assignment: list of operations][Selection: were caused by the same user, are related as follows[Assignment: list of relations]].
Supplemental Guidance:
For a device that supports unlinkability, what is ensured is that: if an application on a device has not been revoked, then [no users in the system outside security management users, and no security management users from a single organization within security management as specified in the CAMP SCMS interface documents, and no two users who work in two different security management organizations and do not collude dishonestly can determine whether two application messages from the same device, sufficiently separated in space and time from each other, come from the same device.“Sufficiently” in this context is as specified in the CAMP SCMS documentation, but should not in any event by greater than 10 minutes.

Related Controls: AC-12, AU-2, IA-5, IA-11
Control Enhancements: N/A
References: N/A
Mechanisms:

  • A device that supports unlinkability:
    • Shall support reversible pseudonymity as defined in ISO FPR_PSE_2
    • Shall allow applications to change their certificate from time to time .
    • Shall provide a mechanism to change device identifiers associated with that certificate such as MAC addresses at the same time as any certificate changes.
    • Shall provide a mechanism to notify applications that a certificate change has been requested and will be implemented shortly.
    • Shall provide a mechanism to allow applications to request a delay in certificate change during which no change will occur.
    • Shall set a timeout on the maximum delay in certificate change after it is first requested.
      • This timeout shall support the value “five minutes”

Protocol Implementation Conformance Statements:
ID Statement Status Reference Notes
FPR_UNL.2/1 Provides a mechanism for applications to change their certificate from time to time M FPR_PSE.1 Define mechanism
FPR_UNL.2/1.1 Provides a mechanism to change device identifiers associated with that certificate M Define mechanism
FPR_UNL.2/1.2 Provides a mechanism to notify applications of certificate changes M Define mechanism
FPR_UNL.2/1.3 Provides a mechanism to allow applications to request a delay in certificate change during which no change will occur M Define mechanism
FPR_UNL.2/1.4 Shall set a timeout on the maximum delay in certificate change after it is first requested. M
FPR_UNL.2/1.5 Allows timeout value 'five minutes' M