Archived
TD0045: Removal of FDP_OCSP_EXT.1.2 in CAPP
Publication Date
2015.05.20
Protection Profiles
PP_CA_v1.0
Other References
PP_CA_v1.0
Issue Description
FDP_OCSP_EXT.1.2 specifies elements for OCSP formats that do not conform to RFC 6960 Resolution
1) The following requirement is being removed from the CAPP: FDP_OCSP_EXT.1.2 For formats other than those specified by IETF RFC 6960, the following elements shall be present: a) Version b) Signature algorithm field c) Time at which status is known to be correct d) Time at which response was signed e) Time at which next response will be available
2) Removing “ [assignment: other OCSP standards]], no other certificate status information]” from FCO_NRO_EXT.2.2 requirement. The revised requirement reads: FCO_NRO_EXT.2.2: The TSF shall provide proof of origin for certificate status information it issues in accordance with the digital signature requirements in [selection: CRLs (RFC 5280), OCSP (RFC 6960)] and FCS_COP.1(2). Addition to Application Note: Implementations additionally meeting a specific OCSP profile such as RFC 5019 should be interoperable with a client fully compliant with RFC 6960. In future versions of this document, SHA-1 may be removed as an option, at which point the OCSP Profile defined in RFC 5019 will be considered obsolete. 3) Removing “the OCSP standard as defined by [selection: RFC 6960, other OCSP standard]]” from the FDP_CSI_EXT.1.1 requirement. The revised requirement reads: FDP_CSI_EXT.1.1 The TSF shall provide certificate status information whose format complies with [selection: ITU-T Recommendation X.509v1 CRL, ITU-T Recommendation X.509v2 CRL, RFC 6960]. Addition to Application Note: Implementations additionally meeting a specific OCSP profile such as RFC 5019 should be interoperable with a client fully compliant with RFC 6960. In future versions of this document, SHA-1 may be removed as an option, at which point the OCSP Profile defined in RFC 5019 will be considered obsolete. Justification
Non-conformance with the RFC is not allowed |