NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0603:  RFC Update in FIA_X509_EXT.1 for MDF PP v3.2

Publication Date

Protection Profiles

Other References

Issue Description

Suite B Documents were moved to historical status (RFC 8423) and the Commercial National Security Algorithm (CNSA) Suite has replaced Suite B. 


FIA_X509_EXT.1.1 in MDF PP v3.2 is modified as follows, with strikethrough denoting deletion and underline denoting addition:

FIA_X509_EXT.1.1 The TSF shall validate certificates in accordance with the following rules:

- RFC 5280 certificate validation and certificate path validation.

- The certificate path must terminate with a certificate in the Trust Anchor Database.

- The TSF shall validate a certificate path by ensuring the presence of the basicConstraints extension, that the CA flag is set to TRUE for all CA certificates, and that any path constraints are met.

- The TSF shall validate that any CA certificate includes caSigning purpose in the key usage field

- The TSF shall validate the revocation status of the certificate using [selection: OCSP as specified in RFC 6960, CRL as specified in RFC 57598603, an OCSP TLS Status Request Extension (OCSP stapling) as specified in RFC 6066, OCSP TLS Multi-Certificate Status Request Extension (i.e., OCSP Multi-Stapling) as specified in RFC 6961].

The TSF shall validate the extendedKeyUsage field according to the following rules:

-- Certificates used for trusted updates and executable code integrity verification shall have the Code Signing Purpose (id-kp 3 with OID in the extendedKeyUsage field.

-- Server certificates presented for TLS shall have the Server Authentication purpose (id-kp 1 with OID in the extendedKeyUsage field.

-- Server certificates presented for EST shall have the CMC Registration Authority (RA) purpose (id-kp-cmcRA with OID in the EKU field. [conditional]

-- Client certificates presented for TLS shall have the Client Authentication purpose (id-kp 2 with OID in the EKU field.

-- OCSP certificates presented for OCSP responses shall have the OCSP Signing purpose  (id-kp 9 with OID in the EKU field. [conditional]


The Application Note and Evaluation Activities are unchanged.


RFC 5759 has been replaced by RFC 8603 per RFC 8423.

Site Map              Contact Us              Home