In FCS_CKM.1.1/AK in the App PP,  the "[ECC schemes]" selection currently mandates both P-256 and P-384, with P-521 being optional. However, FCS_TLSC_EXT.5.1 in the TLS Package is open-ended with respect to the values that may be claimed in the Supported Groups Extension when ECDHE schemes are supported.

This TD was archived on 1/18/2023 and replaced by TD0717.

The following change is made to FCS_CKM.1/AK in Section B.1 in Appendix B in PP_APP_V1.4, with strikethrough denoting deletion and underline denoting addition:

FCS_CKM.1.1/AK The application shall [selection:

- invoke platform-provided functionality,

- implement functionality

] to generate asymmetric cryptographic keys in accordance with a specified cryptographic key generation algorithm [selection:

[RSA schemes] using cryptographic key sizes of [2048-bit or greater] that meet the following FIPS PUB 186-4, "Digital Signature Standard (DSS), Appendix B.3",

[ECC schemes] using [“NIST curves” P-256, P-384 and [selection: P-256, P-521 , no other curves ] ] that meet the following: [FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.4],

[FFC schemes] using cryptographic key sizes of [2048-bit or greater] that meet the following: [FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.1],

[FFC Schemes] using Diffie-Hellman group 14 that meet the following: RFC 3526, Section 3,

[FFC Schemes] using “safe-prime” groups that meet the following: NIST Special Publication 800-56A Revision 3, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography” and [selection: RFC 3526, RFC 7919]

].

Support for 384 is required by the current CNSA RFC for TLS (RFC 9151), but 256 is sometimes still useful for interoperability.