NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0617:  TLSC wildcard testing

Publication Date
2022.02.16

Protection Profiles
PP_BASE_VIRTUALIZATION_V1.0

Other References
FCS_TLSC_EXT.1.2

Issue Description

Support for wildcards in x509 reference identifiers is optional based on the FCS_TLSC_EXT.1.2 TSS evaluation activity in pp_base_virtualization_v1.0, but Test 5 which involves testing wildcards is mandatory.

Resolution

FCS_TLSC_EXT.1.2 Test 5 is modified as follows, with strikethroughs denoting deletion and underlines denoting additions:

Test 5: The evaluator shall perform the following wildcard tests with each supported type of reference identifier. The support for wildcards is intended to be optional. If wildcards are supported, the first, second, and third tests below shall be executed. If wildcards are not supported, then the fourth test below shall be executed.

[conditional]: If wildcards are supported, tThe evaluator shall present a server certificate containing a wildcard that is not in the left-most label of the presented identifier (e.g., foo.*.example.com) and verify that the connection fails.

[conditional]: If wildcards are supported, tThe evaluator shall present a server certificate containing a wildcard in the left-most label (e.g., *.example.com). The evaluator shall configure the reference identifier with a single left-most label (e.g., foo.example.com) and verify that the connection succeeds. The evaluator shall configure the reference identifier without a left-most label as in the certificate (e.g., example.com) and verify that the connection fails. The evaluator shall configure the reference identifier with two left-most labels (e.g., bar.foo.example.come) and verify that the connection fails.

- [conditional]: If wildcards are supported, the evaluator shall present a server certificate containing a wildcard in the left-most label immediately preceding the public suffix (e.g. *.com). The evaluator shall configure the reference identifier with a single left-most label (e.g. foo.com) and verify that the connection fails. The evaluator shall configure the reference identifier with two left-most labels (e.g. bar.foo.com) and verify that the connection fails.

- [conditional]: If wildcards are not supported, the evaluator shall present a server certificate containing a wildcard in the left-most label (e.g. *.example.com). The evaluator shall configure the reference identifier with a single left-most label (e.g. foo.example.com) and verify that the connection fails.

Justification

The TOE does not have to support wild cards as long as it handles requests that contain wildcards appropriately as per PP Base Virtualization v1.1 and the TLS Functional Package.

 
 
Site Map              Contact Us              Home