Archived
TD0473: Support for Client or Server TOEs in FCS_HTTPS_EXT
Publication Date
2020.01.21
Protection Profiles
PP_APP_v1.3
Other References
FCS_HTTPS_EXT.1
Issue Description
FCS_HTTPS_EXT.1, as currently written, appears to only apply to TLSC implementations. It does not support TLSS implementations, and it does not take into accounts the fact that mutual authentication for TLS is selectable, so clients are not required to present a certificate. Resolution
11/16/2021: This TD has been archived and superseded by TD0601. FCS_HTTPS_EXT.1 is rewritten as follows: FCS_HTTPS_EXT.1/Client HTTPS ProtocolThis selection-based component depends upon selection in FTP_DIT_EXT.1.1. FCS_HTTPS_EXT.1.1/Client The application shall implement the HTTPS protocol that complies with RFC 2818. Evaluation Activity TSS The evaluator shall examine the TSS and determine that enough detail is provided to explain how the implementation complies with RFC 2818.
FCS_HTTPS_EXT.1.2/Client The application shall implement HTTPS using TLS as defined in the TLS package. Evaluation Activity TSS FCS_HTTPS_EXT.1.3/Client The application shall [selection: not establish the application-initiated connection, notify the user and not establish the user-initiated connection , notify the user and request authorization to establish the user-initiated connection ] if the peer certificate is deemed invalid. Application Note: Validity is determined by the certificate path, the expiration date, and the revocation status in accordance with RFC 5280. Evaluation Activity TSS
FCS_HTTPS_EXT.1/Server HTTPS ProtocolThis selection-based component depends upon selection in FTP_DIT_EXT.1.1. FCS_HTTPS_EXT.1.1/Server The application shall implement the HTTPS protocol that complies with RFC 2818. Evaluation Activity TSS The evaluator shall examine the TSS and determine that enough detail is provided to explain how the implementation complies with RFC 2818.
FCS_HTTPS_EXT.1.2/Server The application shall implement HTTPS using TLS as defined in the TLS package. Evaluation Activity TSS A new SFR, FCS_HTTPS_EXT.2, is added as follows: FCS_HTTPS_EXT.2 HTTPS Protocol with Mutual Authentication
This selection-based component depends upon selection in FTP_DIT_EXT.1.1. FCS_HTTPS_EXT.2.1 The application shall [selection: not establish the connection, establish or not establish the connection based on an administrative or user setting] if the peer certificate is deemed invalid. Application Note: Validity is determined by the certificate path, the expiration date, and the revocation status in accordance with RFC 5280. TSS
In the Application Note for FTP_DIT_EXT.1, the paragraph that refers to HTTPS is rewritten as follows: If encrypt all transmitted is selected, HTTPS is selected, and the TOE acts as a client, FCS_HTTPS_EXT.1/Client is required. If encrypt all transmitted is selected, HTTPS is selected, and the TOE acts as a server, FCS_HTTPS_EXT.1/Server is required. If the TOE acts as a server and if mutual authentication is selected in the TLS Package, then FCS_HTTPS_EXT.2 is also required..
Justification
See issue description. |