TD0389: Handling of SSH EP claim for platform
Currently, FTP_DIT_EXT.1 in the App PP says that if SSH is selected as a trusted protocol, the SSH EP is also claimed. The SSH EP says that all FCS_SSH* requirements are implemented by "the SSH client". It does not discuss whether this client is TOE-provided or part of the underlying OS platform (unlike the TLS requirements in the App PP which allow the ST author to select between "platform-provided TLS" and "TSF-provided TLS").
This TD supersedes TD0177.
FTP_DIT_EXT.1.1 is modified as follows (changes underlined):
not transmit any [selection: data, sensitive data],
] between itself and another trusted IT product.
Application Note: Extended packages may override this requirement to provide for other protocols. Encryption is not required for applications transmitting data that is not sensitive.
If "encrypt all transmitted" is selected and TLS is selected, then evaluation of elements from either FCS_TLSC_EXT.1 or FCS_TLSS_EXT.1 is required.
For platform-provided functionality, the evaluator shall verify the TSS contains the calls to the platform that TOE is leveraging to invoke the functionality.
The evaluator shall perform the following tests.
For Android: If "not transmit any data" is selected, the evaluator shall ensure that the application's AndroidManifest.xml file does not contain a uses-permission or uses-permission-sdk-23 tag containing android:name="android.permission.INTERNET". In this case, it is not necessary to perform the above Tests 1, 2, or 3, as the platform will not allow the application to perform any network communication.
For iOS: If "encrypt all transmitted data" is selected, the evaluator shall ensure that the application's Info.plist file does not contain the NSAllowsArbitraryLoads or NSExceptionAllowsInsecureHTTPLoads keys, as these keys disable iOS's Application Transport Security feature.
See issue description.