TD0439: EAP-TLS Revocation Checking
It is not clear if revocation checking is required for EAP-TLS connections. Also, for TOEs that connect to access points using EAP-TLS implemented in a WLAN client, it is not possible for the TOE to have access to a revocation server to check the EAP-TLS server certificate duting the initial connection.
Updated 09/05/2019 to update Table 2: Auditable Events
FAU_GEN.1/WLAN is modified as follows:
The following iteration of FIA_X509_EXT.1 is added to the WLAN Client EP v1.0.
FIA_X509_EXT.1/WLAN X.509 Certificate Validation
FIA_X509_EXT.1.1/WLAN The TSF shall validate certificates for EAP-TLS in accordance with the following rules:
FIA_X509_EXT.1.2/WLAN The TSF shall only treat a certificate as a CA certificate if the basicConstraints extension is present and the CA flag is set to TRUE.
Application Note: FIA_X509_EXT.1/WLAN lists the rules for validating certificates for EAP-TLS. In contrast to FIA_X509_EXT.1 in the Base-PP, this iteration does not require revocation checking for the EAP-TLS connection used to establish a WiFi connection. The FIA_X509_EXT.1 requirements defined in each of the possible base PPs define requirements that the underlying platform is expected to implement in order to support compliance with RFC 5280.
The evaluator shall ensure the TSS describes where the check of validity of the EAP-TLS certificates takes place. The evaluator ensures the TSS also provides a description of the certificate path validation algorithm.
The tests described must be performed in conjunction with the other Certificate Services assurance activities. The tests for the extendedKeyUsage rules are performed in conjunction with the uses that require those rules. The evaluator shall create a chain of at least four certificates: the node certificate to be tested, two Intermediate CAs, and the self-signed Root CA.
See issue description. It is likely that revocation checking will be required in future versions of WLAN Client EP and the TC is investigating the feasibility of alternative mechanisms.