NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0125:  NIT Technical Decision for Checking validity of peer certificates for HTTPS servers

Publication Date

Protection Profiles
CPP_FW_V1.0, CPP_ND_V1.0

Other References

Issue Description

The Network Interpretations Team (NIT) has issued a technical decision regarding checking validity of peer certificates for HTTPS servers in the NDcPP v1.0 and FW cPP v1.0.


To align with the NIT interpretation #36, FCS_HTTPS_EXT.1.3 is moved to selection-based since the requirement to check peer certificate validity does not apply to HTTPS servers which do not use mutual authentication.

For further information, please see the NIT interpretation at:

FCS_HTTPS_EXT.1.3, the related Application Note, and the Supporting Document are modified as follows:

FCS_HTTPS_EXT.1.3 The TSF shall establish the connection only if [selection: the peer presents a valid certificate during handshake, the peer initiates handshake].

Application Note 51

Select ‘the peer presents a valid certificate’ if the TOE acts as a client, or if mutual certificate-based authentication is enforced when the TOE acts as a client or a server. Certificate validity must be determined according to FIA_X509_EXT.1/Rev if HTTPS is used for FPT_TRP.1/Admin or FTP_ITC.1, and on FIA_X509_EXT.1/ITT if HTTPS is used for FPT_ITT.1.

Select ‘the peer initiates handshake’ if the TOE acts as a server that does not enforce mutual certificate-based authentication. It is understood that in such cases peer authentication is achieved by other means.

The Supporting document should be modified as follows:


The following TSS requirement should be inserted above the existing tests for FCS_HTTPS_EXT.1.



The evaluator shall check that the TSS describes how peer authentication is implemented when HTTPS protocol is used.

The Test 2 requirement in paragraph 117 should also be modified as follows:

117      If ‘the peer presents a valid certificate during handshake’ is selected in FCS_HTTPS_EXT.1.3, then certificate validity shall be tested in accordance with testing performed for FIA_X509_EXT.1 if HTTPS is used for FTP_TRP.1 or FTP_ITC.1.


See issue description.

Site Map              Contact Us              Home