Archived TD0377: Tests for MDM unique certificates
The test for FIA_X509_EXT.2.3 in PP_MDM_V3.0 currently requires a unique certificate for each device and does not allow for the possibility that the MD Agent may not allow certificates to be loaded.
FIA_X509_EXT.2.3 in PP_MDM_V3.0 shall be modified as follows, with modifications marked with underlines:
FIA_X509_EXT.2.3 The [selection: TSF, TOE platform] shall require a unique certificate for each client device.
Application Note: Each client device will have a unique X.509v3 certificate for use by the MDM Agent; the certificate is not to be reused among clients. This requirement is to ensure that the
MDM Server either provides a unique certificate or verifies that each client certificate is unique.
If "invoke platform-provided functionality" is selected, the evaluator shall examine the TSS of the MDM Server's ST to verify that it describes (for each supported platform) how this functionality is invoked (it should be noted that this may be through a mechanism that is not implemented by the MDM Server; nonetheless, that mechanism will be identified in the TSS as part of this evaluation activity).
If "implement functionality" is selected then the evaluator shall examine the TSS to verify that it describes the methods to ensure that each client utilizes a unique certificate.
For each MDM Agent/platform listed as supported in the ST:
The evaluator shall utilize appropriate combinations of specialized operational environment and development tools (debuggers, simulators, etc.) for the TOE and instrumented TOE builds as needed to perform this test.
One of the following tests must be performed depending on if the MDM agent allows for the loading of certificates.
See issue description.