Archived TD0155: NIT Technical Decision for TLSS tests using ECDHE in the NDcPP v1.0.
ND SD V1.0, FCS_TLSS_EXT.1.3, FCS_TLSS_EXT.2.3
The Network Interpretations Team (NIT) has issued a technical decision regarding TLSS tests using ECDHE in ND SD V1.0.
To align with NIT interpretation # 201662, TLSS tests using ECDHE are optional.
The intention of FCS_TLSS_EXT.1.3 and FCS_TLSS_EXT.2.3 testing is to verify claims of supporting specific key establishment protocols. If, for example, no claim of ECDHE support is made, it follows that ECDHE does not need to be tested. If someone nevertheless were to attempt to connect using ECDHE cipher, the expected outcome is a failure to negotiate TLS channel when such connection is forced.
To further clarify this point, description for Test 1 for FCS_TLSS_EXT.1.3 and FCS_TLSS_EXT.2.3 shall be modified as follows:
"The evaluator shall attempt establishing connection using each claimed key establishment protocol (RSA, DH, ECDHE) with each claimed parameter (RSA key size, Diffie-Hellman parameters, supported curves) as selected in FCS_TLSS_EXT.1.3 (or FCS_TLSS_EXT.2.3). For example, determining that the RSA key size matches the claimed size is sufficient to satisfy this test. The evaluator shall ensure that each supported parameter combination is tested.
Note that this testing can be accomplished in conjunction with the other testing activities."
For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfi201662.pdf
See issue description.