NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0151:  NIT Technical Decision for FCS_TLSS_EXT Testing - Issue 1 in NDcPP v1.0.

Publication Date

Protection Profiles

Other References

Issue Description

The Network Interpretations Team (NIT) has issued a technical decision regarding FCS_TLSS_EXT Testing in NDcPP v1.0.


To align with NIT interpretation # 201643a_Issue1, the following changes to SD ND V1.0 are made:

Issue 1: The NIT acknowledges the findings but recommends to simplify the testing requirements in the related sections instead of specifying more detailed test requirements. Tests 4a.) and 4b.) for FCS_TLSS_EXT.1.1 are related to the situation where mutual authentication is required. Tests 4a.) and 4b.) shall be removed for FCS_TLSS_EXT.1.1, because mutual authentication is not required for FCS_TLSS_EXT.1 but only for FCS_TLSS_EXT.2.

By restricting the required modification to the signature block of the client’s Certificate Verify handshake message in Test 6b.) for FCS_TLSS_EXT.2.4 and FCS_TLSS_EXT.2.5, 4b.) for FCS_TLSS_EXT.2.1 should also be covered without changing the intention of Test 6b.) for FCS_TLSS_EXT.2.4 and FCS_TLSS_EXT.2.5. Test 4c adequately covers a bad Finished message, so overall Test 4a.) is also covered.

Therefore Test 6b.) for FCS_TLSS_EXT.2.4 and FCS_TLSS_EXT.2.5 shall be modified as follows and Tests 4a.) and 4b.) for FCS_TLSS_EXT.1.1 and FCS_TLSS_EXT.2.1 shall be removed to avoid redundancy.

Test 6b.): Configure the server to require mutual authentication and then modify a byte in the *signature block of the* client’s Certificate Verify handshake message. The evaluator shall verify that the server rejects the connection.

For further information, please see the NIT interpretation at:


See issue description.

Site Map              Contact Us              Home