TD0278: Clarification of Role for Managing Manual Certificate Requests
Publication Date
2017.12.21
Protection Profiles
PP_CA_V2.1
Other References
FMT_MOF.1(1); FMT_MOF.1(3)
Issue Description
CA PP too restrictive on what role(s) can manage generating a certificate request on behalf of an issuer. Resolution
The following change is made to FMT_MOF.1(1). (bold text)
FMT_MOF.1.1(1) Refinement: The [selection: TSF, Operational Environment] shall restrict the ability to 1. manage the TOE locally and remotely; 2. configure the audit mechanism; 3. configure and manage certificate profiles; 4. modify revocation configuration; 5. perform updates to the TOE; 6. perform on-demand integrity tests; 7. import and remove X.509v3 certificates into/from the Trust Anchor Database;
[selection:
8. import [assignment: secret and private keys other than the CA’s signing keys]; 9. configure certificate revocation list function; 10. configure OCSP function; 11. disable deprecated algorithms; 12. accept certificates whose validity cannot be determined; 13. export PKCS#10 certificate request; 14. import CA certificate; 15. [assignment: other security management functions]]
to [Administrators].
The following text is added to the Application Note of FMT_MOF.1(1): If items 13 & 14 are selected for FMT_MOF.1.1(1), items 5 & 6 cannot be selected in FMT_MOF.1.1(3). If items 5 & 6 are selected for FMT_MOF.1.1(3), items 13 & 14 cannot be selected in FMT_MOF.1.1(1). The following text is added as an Application Note of FMT_MOF.1(3): If items 5 & 6 are selected for FMT_MOF.1.1(3), items 13 & 14 cannot be selected in FMT_MOF.1.1(1). If items 13 & 14 are selected for FMT_MOF.1.1(1), items 5 & 6 cannot be selected in FMT_MOF.1.1(3).
Justification
See issue description. |