TD0462: MDM Distributed TOE: Registration Channel Updates
Section 3.1; FCO_CPC_EXT.1
Section 3.1 of PP_MDM_v4.0 states that the ST author must choose FPT_ITT.1(2) for a distributed TOE if the registration channel is between the TSF and the MDM agent that is included in the TOE.
The FPT_ITT.1(2) selections all require the TOE to support mutual authentication and require claiming FIA_X509_EXT.1(1) for the connection. However, this is a registration channel for the MDM Agent as part of the enrollment process. The MDM Agent is not going to have its organizational X.509 certificate because this is something the MDM Agent receives as part of the enrollment process. Then after enrollment the MDM Agent will have its X.509 certificate to present for mutual authentication.
Under previous iterations of the MDM PP, the FTP_TRP.1(2) was used to claim the connection used between the MDM Agents and the MDM Server for enrollment because it did not require mutual authentication.
Figure 3 in Section 3.1 is replaced with the following:
In Appendix C, FCO_CPC_EXT.1.2 is updated as follows, with underlines indicating additions:
FCO_CPC_EXT.1.2 The TSF shall [selection: invoke platform-provided functionality, implement functionality] to
] for at least TSF data.
In Appendix C, under FCO_CPC_EXT.1.3, paragraphs 3 and 4 of the Application Note are modified as follows, with underlines indicating additions:
The channel selection (for the registration channel) in FCO_CPC_EXT.1.2 is essentially a
See issue description.