Archived TD0185: NIT Technical Decision for Channel for Secure Update.
NDcPP V1.0, FWcPP V1.0, FPT_TUD_EXT.1, FTP_ITC.1
The Network Interpretations Team (NIT) has issued a technical decision channel for secure update.
1. Is the TOE required to have a secure connection (FTP_ITC.1) to an external update server, or can the connection be unsecured and simply rely on the trusted update mechanisms in the PP (Signature/Hash)?
2. If the TOE uses HTTPS (which is using TLS) to connect to an external update server as per FTP_ITC.1, does it require mutual X.509 authentication?
3. If the TOE uses TLS to connect to an external update server as per FTP_ITC.1, does it require mutual X.509 authentication?
To align with NIT interpretation # 201657, the following guidance is issued.
The trusted update mechanism is expected to rely on the signature/hash based integrity protection. It is therefore not mandatory to use a secure channel according to FTP_ITC.1 for the communication between the TOE and an external update server.
In response to questions 2 and 3 above: The ST author could use the assignment within the selection in FTP_ITC.1 to add the communication to an external update server, but this is optional. In this case it is up to the ST author to select the secure communication protocol and if TLS is chosen it is up to the ST author, whether TLS with or without mutual authentication is chosen. For details please refer to the Technical Decision regarding RfI#34. Note that if FTP_ITC.1 is used for communication with an external update server the signature/hash based integrity protection mechanism as required by FTP_TUD_EXT.1.3 still needs to be applied.
For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI57.pdf
See issue description and resolution.