Archived
TD0098: FCS_CKM.1 Requirement in App PP V1.1
Publication Date
2016.08.29
Protection Profiles
PP_APP_v1.1
Other References
FCS_CKM.1.1, PP_APP_v1.1
Issue Description
In the PP_APP_v1.1, SFR FCS_CKM.1.1 is a Selection-Based Requirement and is included only if FCS_CKM_EXT.1 is also included. FCS_CKM_EXT.1 is listed as only being required if FCS_TLSC_EXT.1 is selected. However, the Selection-Based FCS_TLSC_EXT says nothing about FCS_CKM_EXT.1, so there doesn't appear to be a reason to ever include FCS_CKM_EXT.1 in a ST. But without including FCS_CKM_EXT.1, there is no reason for including FCS_CKM.1.1. It has been determined that this was a flaw in the PP_APP_v1.1 and has been corrected in the App PP V1.2 so that selecting FCS_CKM_EXT.1 in FCS_TLSC_EXT.1 can now result in the selection of FCS_CKM.1. Resolution
NIAP acknowledges the discrepancy and proposes modifying the application note for FCS_TLSC_EXT.1 to state: If “implement TLS 1.2 (RFC 5246)”is selected, then FCS_CKM_EXT.1 is required. Justification
The omission of FCS_CKM.1 was an oversight during development of PP_APP_v1.1 and, hence, the proposed resolution will allow evaluations against PP_APP_v1.1 to include FCS_CKM.1.1. |