NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0603:  RFC Update in FIA_X509_EXT.1 for MDF PP v3.2

Publication Date
2022.10.14

Protection Profiles
PP_MDF_V3.2

Other References
FIA_X509_EXT.1.1

Issue Description

Suite B Documents were moved to historical status (RFC 8423) and the Commercial National Security Algorithm (CNSA) Suite has replaced Suite B. 

Resolution

FIA_X509_EXT.1.1 in MDF PP v3.2 is modified as follows, with strikethrough denoting deletion and underline denoting addition:

FIA_X509_EXT.1.1 The TSF shall validate certificates in accordance with the following rules:

- RFC 5280 certificate validation and certificate path validation.

- The certificate path must terminate with a certificate in the Trust Anchor Database.

- The TSF shall validate a certificate path by ensuring the presence of the basicConstraints extension, that the CA flag is set to TRUE for all CA certificates, and that any path constraints are met.

- The TSF shall validate that any CA certificate includes caSigning purpose in the key usage field

- The TSF shall validate the revocation status of the certificate using [selection: OCSP as specified in RFC 6960, CRL as specified in RFC 57598603, an OCSP TLS Status Request Extension (OCSP stapling) as specified in RFC 6066, OCSP TLS Multi-Certificate Status Request Extension (i.e., OCSP Multi-Stapling) as specified in RFC 6961].

The TSF shall validate the extendedKeyUsage field according to the following rules:

-- Certificates used for trusted updates and executable code integrity verification shall have the Code Signing Purpose (id-kp 3 with OID 1.3.6.1.5.5.7.3.3) in the extendedKeyUsage field.

-- Server certificates presented for TLS shall have the Server Authentication purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the extendedKeyUsage field.

-- Server certificates presented for EST shall have the CMC Registration Authority (RA) purpose (id-kp-cmcRA with OID 1.3.6.1.5.5.7.3.28) in the EKU field. [conditional]

-- Client certificates presented for TLS shall have the Client Authentication purpose (id-kp 2 with OID 1.3.6.1.5.5.7.3.2) in the EKU field.

-- OCSP certificates presented for OCSP responses shall have the OCSP Signing purpose  (id-kp 9 with OID 1.3.6.1.5.5.7.3.9) in the EKU field. [conditional]

 

The Application Note and Evaluation Activities are unchanged.

Justification

RFC 5759 has been replaced by RFC 8603 per RFC 8423.

 
 
Site Map              Contact Us              Home