Archived
TD0217: Compliance to RFC5759 and RFC5280 for using CRLs
Publication Date
2017.06.16
Protection Profiles
PP_APP_v1.2
Other References
FIA_X509_EXT.1.1
Issue Description
In APP_PP_V1.2, FIA_X509_EXT.1.1 requires that any PP compliance using CRLs requires compliance to RFC 5759 (bullet #4) which is specifically written around Suite B cryptography and requires the use of ECDSA. RFC 5280 defines the use of CRLs, their signatures, etc without mandating ECDSA.
Resolution
FIA_X509_EXT.1.1, Bullet #4 is replaced as follows to allow compliance to RFC 5280 for CRLs: · The application shall validate the revocation status of the certificate using [selection: the Online Certificate Status Protocol (OCSP) as specified in RFC 2560, a Certificate Revocation List (CRL) as specified in RFC 5280 Section 6.3, a Certificate Revocation List (CRL) as specified in RFC 5759, an OCSP TLS Status Request Extension (i.e., OCSP stapling) as specified in RFC 6066 ] .
Justification
The App PP does not require elliptic curve; it is optional. Therefore, mandating EC for CRL signing is inconsistent. |