NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems
|
|
|
U.S. Government Approved Protection Profile - Protection Profile for Certification Authorities Version 2.1
Short Name:
pp_ca_v2.1
Technology Type:
Certificate Authority
CC Version:
3.1
Date:
2017.12.01
Transition End Date:
2018.06.01
Preceded By:
pp_ca_v2.0
Conformance Claim:
None
Protection Profile
Control Mapping
PP OVERVIEW
Certification Authorities (CAs), and the infrastructure they support, form the basis for one of the primary mechanisms for providing strong assurance of identity in online transactions. The widely placed trust in CAs is at the heart of security mechanisms used to protect business and financial transactions online. Notably, protocols using Transport Layer Security (TLS) rely on certificates issued by CAs to identify and authenticate servers and clients in web transactions. Governments around the world rely on CAs to identify parties involved in transactions with them. However, historical high-profile security breaches at major CAs trusted by widely used operating systems and browsers have highlighted both the critical role CAs play in securing electronic transactions, as well as the need to strongly protect them from malicious attacks. Analyses have revealed that these security breaches were often the result of insufficient security controls being in place on the computer systems and networks at these CAs, and were sometimes exacerbated by weak record keeping. Third-party auditing programs, whose role it was to verify that proper security controls were in place, were not sufficient to identify these lapses in security.
This Protection Profile (PP) describing security requirements for a Certification Authority is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats. These requirements support CA operations performed in accordance with the National Institute of Standards and Technologies (NIST) Interagency or Internal Report (IR) 7924 (Second Draft), Reference Certificate Policy, referred to as the “NIST IR.”2
This U.S. Government Approved Protection Profile is not assigned to any Validated Products
Active Related Technical Decisions
-
0844 – Addition of Assurance Package for Flaw Remediation V1.0 Conformance Claim
References: Conformance Claims
-
0796 – Removal of SHA-1 from Various Selections
References: FCS_COP.1.1(3), FCS_COP.1.1(4), FCS_COP.1.1(5), FCS_TLSC_EXT.2.1, FCS_TLSS_EXT.1.1
-
0782 – Terminology Change in CAPP: Extended to Functional Package
References: Terminology, Conformance Claims, FIA_X509_EXT.2, ATE_IND.1.2E, FTP_ITC.1.3, FDP_ITT.1.1, FPT_ITT.1.1
-
0599 – Corrections to SAR Section in CAPP
-
0522 – Updates to Certificate Revocation (FIA_X509_EXT.1)
References: FIA_X509_EXT.1
-
0500 – Cryptographic selections and updates for CAPP
References: FCS_CKM.1 and FCS_CKM.2
-
0415 – Trusted Update Test 4 Conditional
References: FPT_TUD_EXT.1
-
0375 – FMT_MOF.1(4) selection
-
0353 – Guidance for Certificate Profiles
References: FDP_CER_EXT.1.1
-
0348 – FCS_TLSS_EXT.2.4 for TLS 1.2 or higher
References: FCS_TLSS_EXT.2.4
-
0328 – Split Knowledge Procedures distinction
References: FPT_SKY_EXT.1
-
0294 – Correction of TLS SFRs in CA PP ver 2.1
References: FCS_TLSC_EXT.2, FCS_TLSS_EXT.1, FCS_TLSS_EXT.2
-
0287 – FAU_STG.4 Testing
-
0286 – Audit Events for FPT_RCV.1
-
0278 – Clarification of Role for Managing Manual Certificate Requests
References: FMT_MOF.1(1); FMT_MOF.1(3)
-
0276 – X.509 Code Signing on TOE Updates
References: FIA_X509_EXT.2.1
|