NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0278:  Clarification of Role for Managing Manual Certificate Requests

Publication Date
2017.12.21

Protection Profiles
PP_CA_V2.1

Other References
FMT_MOF.1(1); FMT_MOF.1(3)

Issue Description

CA PP too restrictive on what role(s) can manage generating a certificate request on behalf of an issuer.

Resolution

 

The following change is made to FMT_MOF.1(1). (bold text)

 

FMT_MOF.1.1(1)          Refinement: The [selection: TSF, Operational Environment] shall restrict the ability to

1.       manage the TOE locally and remotely;

2.       configure the audit mechanism;

3.       configure and manage certificate profiles;

4.       modify revocation configuration;

5.       perform updates to the TOE;

6.       perform on-demand integrity tests;

7.       import and remove X.509v3 certificates into/from the Trust Anchor Database;

 

[selection:

 

8.       import [assignment: secret and private keys other than the CA’s signing keys];

9.       configure certificate revocation list function;

10.   configure OCSP function;

11.   disable deprecated algorithms;

12.   accept certificates whose validity cannot be determined;

13.   export PKCS#10 certificate request;

14.   import CA certificate;

15.    [assignment: other security management functions]]

 

 to [Administrators].

 

 

The following text is added to the Application Note of FMT_MOF.1(1):

If items 13 & 14 are selected for FMT_MOF.1.1(1), items 5 & 6 cannot be selected in FMT_MOF.1.1(3).

If items 5 & 6 are selected for FMT_MOF.1.1(3), items 13 & 14 cannot be selected in FMT_MOF.1.1(1).

The following text is added as an Application Note of FMT_MOF.1(3):

If items 5 & 6 are selected for FMT_MOF.1.1(3), items 13 & 14 cannot be selected in FMT_MOF.1.1(1).

If items 13 & 14 are selected for FMT_MOF.1.1(1), items 5 & 6 cannot be selected in FMT_MOF.1.1(3).

 

 

 

 

 

Justification

See issue description.

 
 
Site Map              Contact Us              Home