Archived
TD0256: NIT Technical Decision for Handling of TLS connections with and without mutual authentication
Publication Date
2017.11.13
Protection Profiles
CPP_ND_V1.0, CPP_ND_V2.0, CPP_ND_V2.0E
Other References
ND SD V1.0, ND SD V2.0, FCS_DTLSC_EXT.2.5 (ND SD V2.0), FCS_TLSC_EXT.2 (ND SD V1.0, ND SD V2.0)
Issue Description
The NIT has issued a technical decision for Handling of TLS connections with and without mutual authentication. Resolution
For ND SD V1.0 and ND SD V2.0 FCS_TLSC_EXT.2.5 Test 1 shall therefore be modified as follows: "The purpose of these tests is to confirm that the TOE appropriately handles connection to peer servers that support and do not support mutual authentication." Test 1: The evaluator shall establish a connection to a peer server that is not configured for mutual authentication (i.e. does not send Server’s Certificate Request (type 13) message). The evaluator observes negotiation of a TLS channel and confirms that the TOE did not send Client’s Certificate message (type 11) during handshake. Test 2: The evaluator shall establish a connection to a peer server with a shared trusted root that is configured for mutual authentication (i.e. it sends Server’s Certificate Request (type 13) message). The evaluator observes negotiation of a TLS channel and confirms that the TOE responds with a non-empty Client’s Certificate message (type 11) and Certificate Verify (type 15) messages."
For ND SD V2.0 this consideration applies not only to FCS_TLSC_EXT.2.5 but also FCS_DTLSC_EXT.2.5. FCS_DTLSC_EXT.2.5 Test 1 shall therefore be modified as follows: "The purpose of these tests is to confirm that the TOE appropriately handles connection to peer servers that support and do not support mutual authentication." Test 1: The evaluator shall establish a connection to a peer server that is not configured for mutual authentication (i.e. does not send Server’s Certificate Request (type 13) message). The evaluator observes negotiation of a DTLS channel and confirms that the TOE did not send Client’s Certificate message (type 11) during handshake. Test 2: The evaluator shall establish a connection to a peer server with a shared trusted root that is configured for mutual authentication (i.e. it sends Server’s Certificate Request (type 13) message). The evaluator observes negotiation of a DTLS channel and confirms that the TOE responds with a non-empty Client’s Certificate message (type 11) and Certificate Verify (type 15) messages." For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201705.pdf Justification
See issue description. |