Archived
TD0617: TLSC wildcard testing
Publication Date
2022.02.16
Protection Profiles
PP_BASE_VIRTUALIZATION_V1.0
Other References
FCS_TLSC_EXT.1.2
Issue Description
Support for wildcards in x509 reference identifiers is optional based on the FCS_TLSC_EXT.1.2 TSS evaluation activity in pp_base_virtualization_v1.0, but Test 5 which involves testing wildcards is mandatory. Resolution
FCS_TLSC_EXT.1.2 Test 5 is modified as follows, with strikethroughs denoting deletion and underlines denoting additions: Test 5: The evaluator shall perform the following wildcard tests with each supported type of reference identifier. The support for wildcards is intended to be optional. If wildcards are supported, the first, second, and third tests below shall be executed. If wildcards are not supported, then the fourth test below shall be executed. - [conditional]: If wildcards are supported, t - [conditional]: If wildcards are supported, t - [conditional]: If wildcards are supported, the evaluator shall present a server certificate containing a wildcard in the left-most label immediately preceding the public suffix (e.g. *.com). The evaluator shall configure the reference identifier with a single left-most label (e.g. foo.com) and verify that the connection fails. The evaluator shall configure the reference identifier with two left-most labels (e.g. bar.foo.com) and verify that the connection fails. - [conditional]: If wildcards are not supported, the evaluator shall present a server certificate containing a wildcard in the left-most label (e.g. *.example.com). The evaluator shall configure the reference identifier with a single left-most label (e.g. foo.example.com) and verify that the connection fails. Justification
The TOE does not have to support wild cards as long as it handles requests that contain wildcards appropriately as per PP Base Virtualization v1.1 and the TLS Functional Package. |