The NIT has issued a Technical Decision for the Use of intermediate CA certificates and certificate hierarchy depth.

To align with NIT interpretation # 201663, NIAP supports the interpretation written below:

Network Devices and Firewalls compliant to the NDcPP or FWcPP are expected to be capable of performing X.509 certificate validation based on root certificates, intermediate CA certificates and device certificates. The tests defined in the SD for FIA_X509_EXT.1.1 and FIA_X509_EXT.1.2 are testing this expected behavior and shall therefore be applied as written.

According to Annex K of the revised CCRA the set of cPP and related SDs together define the minimum set of security requirements on the TOE. The NIT acknowledges, though, that all security requirements on the TOE should be reflected by the SFR as far as possible and it should be avoided to introduce new security requirements on the TOE through evaluation activities in the SD. The NIT therefore recommends that future versions of the NDcPP and FWcPP express the expected TOE behavior more clearly in the X.509 related SFRs.

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201663.pdf

See issue description.