Archived TD0125: NIT Technical Decision for Checking validity of peer certificates for HTTPS servers
ND SD v1.0, FCS_HTTPS_EXT.1.3
The Network Interpretations Team (NIT) has issued a technical decision regarding checking validity of peer certificates for HTTPS servers in the NDcPP v1.0 and FW cPP v1.0.
To align with the NIT interpretation #36, FCS_HTTPS_EXT.1.3 is moved to selection-based since the requirement to check peer certificate validity does not apply to HTTPS servers which do not use mutual authentication.
For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI36.pdf.
FCS_HTTPS_EXT.1.3, the related Application Note, and the Supporting Document are modified as follows:
FCS_HTTPS_EXT.1.3 The TSF shall establish the connection only if [selection: the peer presents a valid certificate during handshake, the peer initiates handshake].
Application Note 51
Select ‘the peer presents a valid certificate’ if the TOE acts as a client, or if mutual certificate-based authentication is enforced when the TOE acts as a client or a server. Certificate validity must be determined according to FIA_X509_EXT.1/Rev if HTTPS is used for FPT_TRP.1/Admin or FTP_ITC.1, and on FIA_X509_EXT.1/ITT if HTTPS is used for FPT_ITT.1.
Select ‘the peer initiates handshake’ if the TOE acts as a server that does not enforce mutual certificate-based authentication. It is understood that in such cases peer authentication is achieved by other means.
The Supporting document should be modified as follows:
FCS_HTTPS_EXT.1 HTTPS Protocol
The following TSS requirement should be inserted above the existing tests for FCS_HTTPS_EXT.1.
The evaluator shall check that the TSS describes how peer authentication is implemented when HTTPS protocol is used.
The Test 2 requirement in paragraph 117 should also be modified as follows:
117 If ‘the peer presents a valid certificate during handshake’ is selected in FCS_HTTPS_EXT.1.3, then certificate validity shall be tested in accordance with testing performed for FIA_X509_EXT.1 if HTTPS is used for FTP_TRP.1 or FTP_ITC.1.
See issue description.