Archived
TD0340: NIT Technical Decision for Handling of the basicConstraints extension in CA and leaf certificates
Publication Date
2018.08.02
Protection Profiles
CPP_FW_V2.0E, CPP_ND_V2.0E
Other References
FIA_X509_EXT.1.1
Issue Description
The NIT has issued a technical decision for handling of the basicConstraints extension in CA and leaf certificates. Resolution
FIA_X509_EXT.1.1 (NDcPP V1.0, FWcPP V1.0) FIA_X509_EXT.1.1/Rev, item 3 (NDcPP V2.0, FWcPP V2.0) and FIA_X509_EXT.1.1/ITT, item 3 (NDcPP V2.0, FWcPP V2.0) shall be modified as follows: "The TSF shall validate a certification path by ensuring that all CA certificates in the certification path contain the basicConstraints extension with the CA flag set to TRUE."
For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201724.pdf Justification
According to RFC 5280 the presence of the basicConstraints extension is mandated only for CA certificates. Therefore the focus of the FIA_X509_EXT.1.1 SFRs has been restricted to CA certificates. This has been ambiguous in the original SFRs. |