Archived TD0196: Clarification for FCO_NRO_EXT.2.5 when selecting EST
In the PP, FCO_NRO_EXT.2.5 states ‘The TSF shall require and verify proof of origin for revocation requests it receives in accordance with [selection: CMC using mechanisms in accordance with FIA_CMC_EXT.1, EST in accordance with FIA_EST_EXT.1]”
RFC 7030, which defines EST, does not include any mechanisms for performing revocation in the simple enrollment specification required by FIA_EST_EXT.1.
For TOEs that support EST, the following notes are added to the Application Note and Assurance Activities for FCO_NRO_EXT.2 Certificate Based Proof of Origin.
A TOE that supports both EST and CMC and can obtain revocation requests via one of the protocols would be in compliance with FCO_NRO_EXT.2.5.
For TOEs that only support EST, and do not support revocation requests under either CMC or EST, the TSS must describe the mechanism used to determine whether to revoke certificates.
For TOEs that only support EST, and do not support revocation requests under either CMC or EST, the evaluator shall examine the guidance to ensure it describes support privileged user functionality as part of this mechanism.
RFC 7030 allows for full pki requests that would include revocation requests under CMC. However, the support for full pki requests/CMC is optional. The CA is still required to provide revocation information, but without certificate revocation requests supported under one or both of CMC/EST, the subject or an authorized entity has no standard mechanism to request revocation.