Archived TD0099: X509 in SVPP
The application note for FIA_X509_EXT.2.1 mandates that the selection shall match the selection in FTP_ITC.1, however, FTP_ITC.1 is not in the SV PP.
SSH, as defined in the mandatory RFCs 4252 and 4253 explicitly does not refer X.509. Further, the default implementation of SSH is OpenSSH which does not cover X.509 and the developers behind explicity refused to add X.509 handling due to various reasons. So when providing SSH access to administrators, is it required to implement X.509 handling?
Currently, FIA_X509_EXT.1 and FIA_X509_EXT.2 are both in the threshold requirements section. However, they are only required if the selection for FPT_TUD_EXT.1.3 includes “digital signature mechanism”, or if the selections for FTP_TRP.1.1 or FAU_STG_EXT.1 include “IPsec”, “TLS”, or “TLS/HTTPS”.
The first line of the application note for FIA_X509_EXT.2.1: "The ST author's selection shall match the selection of FTP_ITC.1.1" will be removed since FTP_ITC.1.1 is not in the SV PP.
FIA_X509_EXT.1 and FIA_X509_EXT.2 will both be moved to selection-based requirements and the application notes of the following SFRs will be modified to clarify conditions under which these SFRs will be required.
For FPT_TUD_EXT.1.3, the following sentence will be added to the Application Note:
If “digital signature mechanism” is selected, then the ST author will include both FIA_X509_EXT.1 and FIA_X509_EXT.2 from the Selection-Based Requirements section in their ST.
For both FTP_TRP.1.1and FAU_STG_EXT.1 the following sentence will be added to their respective Application Notes:
If “IPsec”, “TLS”, or “TLS/HTTPS” are selected, then the ST author will include both FIA_X509_EXT.1 and FIA_X509_EXT.2 from the Selection-Based Requirements section in their ST.
This clarifies that FIA_X509_EXT.1 and FIA_X509_EXT.2 only need to be included in the Security Target if certain selections are made in other requirements.