Archived TD0003: RSA Based Key Generation in MDFPP
FCS_CKM.1.1(1) in the MDFPP mandates RSA based key generation for key establishment (in accordance with NIST Special Publication 800-56B) with DSA and ECDSA as selections. The application notes state that RSA is required in accordance with FCS_TLS_EXT.1 and that in the future, SP-800-56A for elliptic curves will be required. However, the RSA based key establishment scheme in FCS_TLS_EXT.1 is not really “required”/mandatory in accordance with FCS_TLS_EXT.1 – neither to support the mandatory TLS_RSA_WITH_AES_128_SHA ciphersuite, nor to verify a server certificate.
It is not required for a vendor to implement RSA key generation in accordance with SP800-56B for the purposes of key establishment as TLS does not require this capability from a client.