Validated Product - Public Key Infrastructure Framework (PKIF) Version 1.2

PRODUCT DESCRIPTION

PKIF performs X.509 certification path processing, including certification path development and certification path validation. Certification path validation consists of validating certificates starting with the one certified by a trust anchor and ending with the one issued to the subscriber of interest. PKIF supports X.509 version 3 Certificates and X.509 CRLs, versions 1 and 2. All processing is X.509 and PKIX RFC3280 compliant.

There are three types of public key certificates involved in certificate path validation:

• Trust anchor (TA) certificates: These are certificates containing public keys that do not require any validation. Trust anchors generally take the form of a self-signed certificate. TAs must be delivered to entities that rely on the TA's public key using trusted means. The primary purpose of the trust anchor is to provide a means of conveying a Distinguished Name (DN), public key, algorithm identifier, and the public key parameters (if applicable) for use in validating certification paths.
• Intermediate certificates: These are the certificates issued to CAs. All certificates in a certification path are intermediate certificates, except the trust anchor certificate and end entity certificate.
• End certificates: This is the last certificate in the certification path and is issued to the subscriber of interest. This is an end-entity certificate (i.e., a certificate issued to an entity not functioning as a CA).

PKIF processes the following security-related certificate extensions: ocsp-nocheck, keyUsage, extendedKeyUsage, and basicConstraints. PKIF performs the processing of the following certificate policy-related extensions: certificatePolicies, policyMapping, inhibitAnyPolicy, policyConstraints, and nameConstraints extensions

By default, PKIF assumes that the path validation is being done as of the current system time, as opposed to verification of signature relative to a point in time in the past. However, applications can specify a time other than the current time for use during path validation.

SECURITY EVALUATION SUMMARY

The Public Key Infrastructure Framework Version 2.1 TOE was evaluated against the Common Criteria for Information Technology Security Evaluation, Version 2.2, by the CygnaCom Solutions Common Criteria Testing Laboratory (CCTL). The evaluation methodology used was the Common Methodology for Information Technology Security Evaluation, Version 2.2. The CCTL concluded that the TOE was Common Criteria Part 2 and Part 3 conformant with EAL4 augmented with ALC_FLR.1, and is recommending that a certificate be issued. The validation was conducted by NIAP's Common Criteria Evaluation and Validation Scheme (CCEVS). The evaluation was completed on April 4, 2006.

ENVIRONMENTAL STRENGTHS

PKIF is a C++ software library designed to simplify the task of adding PKI support to applications. It performs PKI-related functions, including the following:

• Certification Path Processing
• CMS based Signature Generation
• CMS based Signature Verification using PKI
• PKI Encryption using Key Transfer Algorithms functionality
• PKI Decryption using Key Transfer Algorithms functionality
• Online Certificate Status Protocol Client functionality
• Certificate revocation list processing functionality

The interface to PKIF permits applications to perform a variety of tasks in addition to and in support of the functions listed above. The following sections describe the PKIF functions and the TSF interface of the library.