The NIT has issued a technical decision for ambiguous Mutual and Non-Mutual Auth TLSC Testing.

The intent of FCS_[D]TLSC_EXT.1 are twofold:

1) To ensure that TOE [D]TLS clients can securely communicate with a [D]TLS server while authenticating the [D]TLS server; and

2) To act as a common baseline for TOE [D]TLS clients that are capable of mutually authenticating themselves to a [D]TLS server.

A TOE which claims FCS_[D]TLS_EXT.2 is required to also claim FCS_[D]TLSC_EXT.1 and be able to show conformance with all Assurance Activities of FCS_[D]TLSC_EXT.1 and FCS_[D]TLSC_EXT.2 for the channel(s) which support [D]TLS mutual authentication.

Mutual authentication support via FCS_[D]TLSC_EXT.2 can be claimed when the TOE is capable of such functionality.

FCS_[D]TLSC_EXT.1 test cases are designed to be met by TOE [D]TLS clients regardless of whether they can engage in mutual authentication or not. Therefore, paragraph 359 and 536 in the Supporting Document shall be struck:

<remove>

For all tests in this chapter the [D]TLS server used for testing of the TOE shall be configured not to require mutual authentication.

</remove>

Paragraph 292 in the Supporting Document shall be replaced with the following:

<old>

(covered by FCS_DTLSC_EXT.1.1 Test 1 and testing for FIA_X.509_EXT.*).

</old>

<new>

Test 1: The evaluator shall establish a connection to a peer server that is configured for mutual authentication (i.e. sends a server Certificate Request (type 13) message). The evaluator observes that the TOE DTLS client sends both client Certificate (type 11) and client Certificate Verify (type 15) messages during its negotiation of a DTLS channel and that Application Data is sent.

In addition, all other testing in FCS_DTLSC_EXT.1 and FIA_X509_EXT.* must be performed as per the requirements.

</new>

Section 3.6.3.3 in the Supporting Document shall be replaced with the following:

<old>

For all tests in this chapter the TLS server used for testing of the TOE shall be configured to require mutual authentication.

FCS_TLSC_EXT.2.1

(covered by FCS_TLSC_EXT.1.1 Test 1 and testing for FIA_X.509_EXT.*).

</old>

<new>

For all tests in this chapter the TLS server used for testing of the TOE shall be configured to require mutual authentication.

FCS_TLSC_EXT.2.1

Test 1: The evaluator shall establish a connection to a peer server that is configured for mutual authentication (i.e. sends a server Certificate Request (type 13) message). The evaluator observes that the TOE TLS client sends both client Certificate (type 11) and client Certificate Verify (type 15) messages during its negotiation of a TLS channel and that Application Data is sent.

In addition, all other testing in FCS_TLSC_EXT.1 and FIA_X509_EXT.* must be performed as per the requirements.

</new>

Rationale: The intent of FCS_[D]TLSC_EXT.1 was to provide a common baseline of functionality for TOE [D]TLS clients regardless of whether they supported mutual authentication. FCS_[D]TLSC_EXT.2 was meant to supplement the requirements for those [D]TLS clients which could also support mutual authentication.

For further information, please see NIT Interpretation at:  https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRFI202202.pdf

See Issue Description.