FTP_DIT_EXT.1 needs more clarity regarding when mutual authentication applies.

FTP_DIT_EXT.1 in PP_APP_V1.4 is modified as follows, with strikethroughs indicating deletions and underlines indicating additions:

FTP_DIT_EXT.1 Protection of Data in Transit

FTP_DIT_EXT.1.1   The application shall [selection:

·       not transmit any [selection: data, sensitive data],

·       encrypt all transmitted [selection: sensitive data, data] with [selection: HTTPS as a client in accordance with FCS_HTTPS_EXT.1/Client, HTTPS as a server in accordance with FCS_HTTPS_EXT.1/Server, HTTPS as a server using mutual authentication in accordance with FCS_HTTPS_EXT.2, TLS as a server as defined in the Functional Package for TLS and also supports functionality for [selection: mutual authentication, none], TLS as a client as defined in the Functional Package for TLS, DTLS as a server as defined in the Functional Package for TLS and also supports functionality for [selection: mutual authentication, none], DTLS as a client as defined in the Functional Package for TLS, SSH as defined in the Functional Package for Secure Shell, IPsec as defined in the PP-Module for VPN Client],

·       invoke platform-provided functionality to encrypt all transmitted sensitive data with [selection: HTTPS, TLS, DTLS, SSH],

·       invoke platform-provided functionality to encrypt all transmitted data with [selection: HTTPS, TLS, DTLS, SSH]

] between itself and another trusted IT product.

Application Note: Encryption is not required for applications transmitting data that is not sensitive.

If "encrypt all transmitted" is selected and "TLS" or "DTLS" as a client/server is selected, then evaluation of elements from either FCS_TLSC_EXT.1 or FCS_TLSS_EXT.1 is required corresponding elements from the Functional Package for TLS must be selected.

If "encrypt all transmitted" is selected, "HTTPS" is selected, and the TOE acts as a client, then FCS_HTTPS_EXT.1/Client is required.

If "encrypt all transmitted" is selected, "HTTPS" is selected, and the TOE acts as a server, then FCS_HTTPS_EXT.1/Server is required.

If the TOE acts as a server and if "mutual authentication" is selected in the TLS Package, then FCS_HTTPS_EXT.2 is also required.

If "encrypt all transmitted" is selected and "DTLS" is selected, then FCS_DTLS_EXT.1 is required.

If "encrypt all transmitted" is selected and "SSH" is selected, then the TSF shall be validated against the Functional Package for Secure Shell.

If "encrypt all transmitted" is selected and "IPsec" is selected, then the TSF must claim conformance to a PP-Configuration that includes the VPN Client PP-Module

If "encrypt all transmitted" is selected the corresponding FCS_COP.1 requirements will be included.

In addition to the above, FIA_X509_EXT.1 and FIA_X509_EXT.2 are required when the following is true:

·       "encrypt all transmitted" is selected and the TOE implements a protocol that requires certificates

·       "invoke platform-provided functionality to encrypt all transmitted sensitive data" is selected and the platform implements a protocol that requires certificates

·       "invoke platform-provided functionality to encrypt all transmitted data" is selected and the platform implements a protocol that requires certificates

Note: FIA_X509_EXT.1 and FIA_X509_EXT.2 are not applicable if “mutual authentication” is not selected when the TOE acts as a HTTPS/(D)TLS server with no mutual authentication.

The selections for mutual authentication for HTTPS align with the selections in this SFR. The selections for mutual authentication must match the corresponding requirements in the Functional Package for TLS.

Replaced by TD0743:  FTP_DIT_EXT.1.1 Selection exclusivity as per TQ1447