TD0789: Correction to TLS Selection in FIA_X509_EXT.2.1
Publication Date
2023.10.02
Protection Profiles
PP_OS_V4.3
Other References
FIA_X509_EXT.2.1, FTP_ITX_EXT.1.1
Issue Description
FIA_X509_EXT.2.1 treats TLS support as mandatory even though FTP_ITC_EXT.1.1 treats it as optional. Resolution
The SFR and accompanying test for FIA_X509_EXT.2.1 in PP_OS_V4.3 are modified as follows, with green highlights and underlines indicating additions and red highlights with strikethroughs indicating deletions:
The OS shall use X.509v3 certificates as defined by RFC 5280 to support authentication for
Tests The evaluator will acquire or develop an application that uses the selected OS The evaluator will repeat the activity for
FTP_ITC_EXT.1.1 in PP_OS_V4.3 is modified as follows, with green highlights and underlines indicating additions and red highlights with strikethroughs indicating deletions: The OS shall use [selection:
] and [selection:
] ] to provide a trusted communication channel between itself and authorized IT entities supporting the following capabilities: [selection: audit server, authentication server, management server, [assignment: other capabilities] ] that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data. Application Note: The ST author must include the security functional requirements for the trusted channel protocol selected in FTP_ITC_EXT.1.1 in the main body of the ST.
If IPsec as conforming to the PP-Module for Virtual Private Network (VPN) Clients, version 2.4 is selected, then FDP_IFC_EXT.1 must be included in the ST. If SSH is selected, the TSF must be validated against the Functional Package for Secure Shell (SSH), version 1.0 and the corresponding selection is expected to be made in FIA_UAU.5.1. The ST author must include the security functional requirements for the trusted channel protocol selected in FTP_ITC_EXT.1 in the main body of the ST.
Tests The evaluator Justification
It is not a requirement that every OS supports TLS. |