Archived
TD0323: NIT Technical Decision for DTLS server testing - Empty Certificate Authorities list
Publication Date
2018.05.18
Protection Profiles
CPP_ND_V2.0E
Other References
ND SD V2.0, FCS_DTLSS_EXT.2.7, FCS_DTLSS_EXT.2.8
Issue Description
The NIT has issued a technical decision for DTLS server testing - Empty Certificate Authorities list. Resolution
FCS_DTLSS_EXT.2.7 & FCS_DTLSS_EXT.2.8 Test 4 is replaced as follows: Test 4: The aim of this test is to check the response of the server when it receives a client identity certificate that is signed by an impostor CA (either Root CA or intermediate CA). To carry out this test the evaluator shall configure the client to send a client identity certificate with an issuer field that identifies a CA recognised by the TOE as a trusted CA, but where the key used for the signature on the client certificate does not in fact correspond to the CA certificate trusted by the TOE (meaning that the client certificate is invalid because its certification path does not in fact terminate in the claimed CA certificate). The evaluator shall verify that the attempted connection is denied. For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201729.pdf Justification
See issue description. |