TD0780: FIA_X509_EXT.1 Test 4 Clarification
Publication Date
2023.08.30
Protection Profiles
PP_APP_v1.4
Other References
FIA_X509_EXT.1
Issue Description
TD0669 introduced some abiguity into test 4. Resolution
This TD updates changes introduced in TD0669, which is now archived. The following modifications are made to Test 4 for FIA_X509_EXT.1.1 in PP_APP_v1.4, with red highlight with strikethroughs denoting deletion and green highlight with underlines denoting additions:
Test 4: If any OCSP option is selected, the evaluator shall configure the TSF to reject certificates if it cannot access valid status information, if so configurable. Then the evaluator shall ensure the TSF has no other source of revocation information available and configure the OCSP server or use a man-in-the-middle tool to present an OCSP response signed by a certificate that does not have the OCSP signing purpose and which is the only source of revocation status information advertised by the CA issuing the certificate being validated. The evaluator shall verify that validation of the OCSP response fails and that the TOE treats the certificate being checked as invalid and rejects the connection. If CRL is selected, the evaluator shall likewise configure the CA to be the only source of revocation status information, and sign a CRL with a certificate that does not have the cRLsign key usage bit set Justification
See issue description. |