Archived
TD0125: NIT Technical Decision for Checking validity of peer certificates for HTTPS servers
Publication Date
2016.11.15
Protection Profiles
CPP_FW_V1.0, CPP_ND_V1.0
Other References
ND SD v1.0, FCS_HTTPS_EXT.1.3
Issue Description
The Network Interpretations Team (NIT) has issued a technical decision regarding checking validity of peer certificates for HTTPS servers in the NDcPP v1.0 and FW cPP v1.0. Resolution
To align with the NIT interpretation #36, FCS_HTTPS_EXT.1.3 is moved to selection-based since the requirement to check peer certificate validity does not apply to HTTPS servers which do not use mutual authentication. For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI36.pdf. FCS_HTTPS_EXT.1.3, the related Application Note, and the Supporting Document are modified as follows: FCS_HTTPS_EXT.1.3 The TSF shall establish the connection only if [selection: the peer presents a valid certificate during handshake, the peer initiates handshake]. Application Note 51 Select ‘the peer presents a valid certificate’ if the TOE acts as a client, or if mutual certificate-based authentication is enforced when the TOE acts as a client or a server. Certificate validity must be determined according to FIA_X509_EXT.1/Rev if HTTPS is used for FPT_TRP.1/Admin or FTP_ITC.1, and on FIA_X509_EXT.1/ITT if HTTPS is used for FPT_ITT.1. Select ‘the peer initiates handshake’ if the TOE acts as a server that does not enforce mutual certificate-based authentication. It is understood that in such cases peer authentication is achieved by other means. The Supporting document should be modified as follows: FCS_HTTPS_EXT.1 HTTPS Protocol The following TSS requirement should be inserted above the existing tests for FCS_HTTPS_EXT.1. TSS FCS_HTTPS_EXT.1.3 The evaluator shall check that the TSS describes how peer authentication is implemented when HTTPS protocol is used. The Test 2 requirement in paragraph 117 should also be modified as follows: 117 If ‘the peer presents a valid certificate during handshake’ is selected in FCS_HTTPS_EXT.1.3, then certificate validity shall be tested in accordance with testing performed for FIA_X509_EXT.1 if HTTPS is used for FTP_TRP.1 or FTP_ITC.1. Justification
See issue description. |