TD0556: NIT Technical Decision for RFC 5077 question
NDSDv2.2, FCS_TLSS_EXT.1.4, Test 3
The NIT has issued a technical decision for RFC 5077 where the testing for part A of FCS_TLSS_EXT.1.4 Test3 can lead to a situation where the TOE correctly obeys RFC 5077 for Session Ticket Renegotiation but does not pass the tests as worded.see
The issue is acknowledged and FCS_TLSS_EXT.1.4 test case 3(a) shall be modified as follows:
shall be replaced by
The evaluator shall permit a successful TLS handshake to occur in which a session ticket is exchanged with the non-TOE client. The evaluator shall then attempt to correctly reuse the previous session by sending the session ticket in the ClientHello. The evaluator shall confirm that the TOE responds with an abbreviated handshake described in section 3.1 of RFC 5077 and illustrated with an example in figure 2. Of particular note: if the server successfully verifies the client's ticket, then it may renew the ticket by including a NewSessionTicket handshake message after the ServerHello in the abbreviated handshake (which is shown in figure 2). This is not required, however as further clarified in section 3.3 of RFC 5077.
For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI202024.
See issue description.