TD0556: NIT Technical Decision for RFC 5077 question
Publication Date
2020.11.06
Protection Profiles
CPP_ND_V2.2E
Other References
NDSDv2.2, FCS_TLSS_EXT.1.4, Test 3
Issue Description
The NIT has issued a technical decision for RFC 5077 where the testing for part A of FCS_TLSS_EXT.1.4 Test3 can lead to a situation where the TOE correctly obeys RFC 5077 for Session Ticket Renegotiation but does not pass the tests as worded.see Resolution
The issue is acknowledged and FCS_TLSS_EXT.1.4 test case 3(a) shall be modified as follows: shall be replaced by The evaluator shall permit a successful TLS handshake to occur in which a session ticket is exchanged with the non-TOE client. The evaluator shall then attempt to correctly reuse the previous session by sending the session ticket in the ClientHello. The evaluator shall confirm that the TOE responds with an abbreviated handshake described in section 3.1 of RFC 5077 and illustrated with an example in figure 2. Of particular note: if the server successfully verifies the client's ticket, then it may renew the ticket by including a NewSessionTicket handshake message after the ServerHello in the abbreviated handshake (which is shown in figure 2). This is not required, however as further clarified in section 3.3 of RFC 5077. For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI202024. Justification
See issue description. |