NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0267:  TLSS testing - Empty Certificate Authorities list

Publication Date
2017.12.08

Protection Profiles
PP_APP_v1.2, PP_MDM_V3.0

Other References
FCS_TLSS_EXT.1.5, FCS_TLSS_EXT.2.4, FCS_TLSS_EXT.1.4

Issue Description

A TLSS test found in PP_APP_v1.2, PP_MDM_v3.0, and PP_BASE_VIRTUALIZATION_v1.0 cannot be performed unless the TOE sends a list of Certificate Authorities in its Certificate Request message. There are implementations of TLS that do not send this list of Certificate Authorities, so this test should be made conditional.

Resolution

07/30/2019: This TD is no longer applicable to the Base Virtualization PP v1.0 as TD0431 incorporates the necessary changes related to the Base Virtualization PP.

The test will be modified in the PPs as follows:


PP_APP_v1.2:

FCS_TLSS_EXT.1.5 Test 4 shall be changed as follows:


"Test 4: If the TOE supports sending a non-empty Certificate Authorities list in its Certificate Request message, the evaluator shall configure the client to send a certificate that does not chain to one of the Certificate Authorities (either a Root or Intermediate CA) in the server’s Certificate Request message. The evaluator shall verify that the attempted connection is denied. If the TOE doesn't support sending a non-empty Certificate Authorities list in its Certificate Request message, this test shall be omitted."
 

PP_MDM_v3.0:

FCS_TLSS_EXT.1.4 Test 4 shall be changed as follows:


"Test 4: If the TOE supports sending a non-empty Certificate Authorities list in its Certificate Request message, the evaluator shall configure the client to send a certificate that does not chain to one of the Certificate Authorities (either a Root or Intermediate CA) in the server’s Certificate Request message. The evaluator shall verify that the attempted connection is denied. If the TOE doesn't support sending a non-empty Certificate Authorities list in its Certificate Request message, this test shall be omitted."

 

PP_BASE_VIRTUALIZATION_v1.0:

FCS_TLSS_EXT.2.4 Test 4 shall be changed as follows:
 
"Test 4: If the TOE supports sending a non-empty Certificate Authorities list in its Certificate Request message, the evaluator shall configure the client to send a certificate that does not chain to one of the Certificate Authorities (either a Root or Intermediate CA) in the server’s Certificate Request message. The evaluator shall verify that the attempted connection is denied. If the TOE doesn't support sending a non-empty Certificate Authorities list in its Certificate Request message, this test shall be omitted."
 

Justification

See issue description.

 
 
Site Map              Contact Us              Home