Archived TD0151: NIT Technical Decision for FCS_TLSS_EXT Testing - Issue 1 in NDcPP v1.0.
ND SD V1.0, FCS_TLSS_EXT.1, FCS_TLSS_EXT.2
The Network Interpretations Team (NIT) has issued a technical decision regarding FCS_TLSS_EXT Testing in NDcPP v1.0.
To align with NIT interpretation # 201643a_Issue1, the following changes to SD ND V1.0 are made:
Issue 1: The NIT acknowledges the findings but recommends to simplify the testing requirements in the related sections instead of specifying more detailed test requirements. Tests 4a.) and 4b.) for FCS_TLSS_EXT.1.1 are related to the situation where mutual authentication is required. Tests 4a.) and 4b.) shall be removed for FCS_TLSS_EXT.1.1, because mutual authentication is not required for FCS_TLSS_EXT.1 but only for FCS_TLSS_EXT.2.
By restricting the required modification to the signature block of the client’s Certificate Verify handshake message in Test 6b.) for FCS_TLSS_EXT.2.4 and FCS_TLSS_EXT.2.5, 4b.) for FCS_TLSS_EXT.2.1 should also be covered without changing the intention of Test 6b.) for FCS_TLSS_EXT.2.4 and FCS_TLSS_EXT.2.5. Test 4c adequately covers a bad Finished message, so overall Test 4a.) is also covered.
Therefore Test 6b.) for FCS_TLSS_EXT.2.4 and FCS_TLSS_EXT.2.5 shall be modified as follows and Tests 4a.) and 4b.) for FCS_TLSS_EXT.1.1 and FCS_TLSS_EXT.2.1 shall be removed to avoid redundancy.
Test 6b.): Configure the server to require mutual authentication and then modify a byte in the *signature block of the* client’s Certificate Verify handshake message. The evaluator shall verify that the server rejects the connection.
For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201643a_Issue1.pdf.
See issue description.