TD0808: Clarification on EKU Fields for FIA_X509_EXT.1/STIP
Publication Date
2023.11.30
Protection Profiles
MOD_STIP_V1.1
Other References
FIA_X509_EXT.1/STIP
Issue Description
A lack of clarity in the PP made it appear as if compliant TOEs were only required to check one of three possible scenarios that may be presented for EKU fields in certificates presented to the TOE by the server. This will be revisited in the next version of the PP. Resolution
FIA_X509_Ext.1/STIP in MOD_STIP_V1.1 is modified as follows, with green-highlighted underlines indicating additions and red-highlighted strikethroughs indicating deletions:
FIA_X509_EXT.1.1/STIP The TSF shall validate certificates used for connections supporting STIP functions in accordance with the following rules:
§ The extendedKeyUsage field is present and contains the Server Authentication purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) and § [selection: § There is no extendedKeyUsage field, § The extendedKeyUsage field is present and contains the ‘any’ purpose (id-…), § No other conditions ].
The following is appended to the Application Note for FIA_X509_EXT.1/STIP: It is highly recommended that the selection for extendedKeyUsage include both “There is no extendedKeyUsage field” and “The extendedKeyUsage field is present and contains the ‘any’ purpose” options to ensure the TOE is able to be used to inspect traffic to external servers that do not follow best practice certificate guidance. When either of these options is not supported, it is required that server certificates presented to the TOE that do not present supported features are considered invalid, and in accordance with FCS_TTTC_EXT.1.3, the inspected session is terminated, blocking access to such sites. Justification
See Issue Description. |