TD0726: Corrections to (D)TLSS SFRs in TLS 1.1 FP
Publication Date
2023.03.17
Protection Profiles
PKG_TLS_V1.1
Other References
FCS_DTLSS_EXT.1.4, FCS_TLSS_EXT.1.3
Issue Description
In TLS 1.1 Functional Package (FP), the following discrepancies were uncovered in FCS_DTLS_EXT.1.4 and FCS_TLSS_EXT.1.3: 1) The last selection item is "no other key establishment methods". This is not a valid selection item because the ST author has to pick at least one key establishment method. If this text is to stay, it needs to come after the big selection (e.g., ...] and no other key establishment methods). This text is not present in the corresponding SFR elements in TLS 2.0 FP. 2) Most of the other selection items contain selections in which the last item is "no other ___". These are not valid selection items because the ST author must pick at least one of the other items. If this text is to stay, it needs to come after the selection (e.g., RSA with size [selection: 2048 bits, 3072 bits, 4096 bits] and no other sizes] ,). This is what was done in the corresponding SFR elements in TLS 2.0 FP. Resolution
FCS_TLSS_EXT.1.3 in Appendix B of PKG_TLS_V1.1 is modified as follows, with strikethroughs in red highlighting denoting deletion and underlines in green highlighting denoting additions: FCS_TLSS_EXT.1.3 The product shall perform key establishment for TLS using [selection: - RSA with size [selection: 2048 bits, 3072 bits, 4096 bits, no other sizes] and no other sizes, - Diffie-Hellman parameters with size [selection: 2048 bits, 3072 bits, 4096 bits, 6144 bits, 8192 bits, no other sizes] and no other sizes, - Diffie-Hellman groups [selection: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, no other groups] and no other groups, - ECDHE parameters using elliptic curves [selection: secp256r1, secp384r1, secp521r1] and no other curves , no other key establishment methods ]. FCS_DTLSS_EXT.1.4 in Appendix B of PKG_TLS_V1.1 is modified as follows, with strikethroughs in red highlighting denoting deletion and underlines in green highlighting denoting additions: FCS_DTLSS_EXT.1.4 The product shall perform key establishment for DTLS using [selection: - RSA with size [selection: 2048 bits, 3072 bits, 4096 bits, no other sizes] and no other sizes, - Diffie-Hellman parameters with size [selection: 2048 bits, 3072 bits, 4096 bits, 6144 bits, 8192 bits, no other size] and no other sizes, - Diffie-Hellman groups [selection: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, no other groups] and no other groups, - ECDHE parameters using elliptic curves [selection: secp256r1, secp384r1, secp521r1] and no other curves , no other key establishment methods ]. Justification
See issue description. |