TD0689: RFC Update in FIA_X509_EXT.1 for MDF PP v3.3
Suite B Documents were moved to historical status (RFC 8423) and the Commercial National Security Algorithm (CNSA) Suite has replaced Suite B.
FIA_X509_EXT.1.1 in MDF PP v3.3 Section 5.1.6 is modified as follows, with strikethrough denoting deletion and underline denoting addition:
FIA_X509_EXT.1.1 The TSF shall validate certificates in accordance with the following rules:
- RFC 5280 certificate validation and certificate path validation.
- The certificate path must terminate with a certificate in the Trust Anchor Database.
- The TSF shall validate a certificate path by ensuring the presence of the basicConstraints extension, that the CA flag is set to TRUE for all CA certificates, and that any path constraints are met.
- The TSF shall validate that any CA certificate includes caSigning purpose in the key usage field
- The TSF shall validate the revocation status of the certificate using [selection: OCSP as specified in RFC 6960, CRL as specified in RFC 57598603, an OCSP TLS Status Request Extension (OCSP stapling) as specified in RFC 6066, OCSP TLS Multi-Certificate Status Request Extension (i.e., OCSP Multi-Stapling) as specified in RFC 6961].
- The TSF shall validate the extendedKeyUsage field according to the following rules:
-- Certificates used for trusted updates and executable code integrity verification shall have the Code Signing Purpose (id-kp 3 with OID 22.214.171.124.126.96.36.199.3) in the extendedKeyUsage field.
-- Server certificates presented for TLS shall have the Server Authentication purpose (id-kp 1 with OID 188.8.131.52.184.108.40.206.1) in the extendedKeyUsage field.
-- Server certificates presented for EST shall have the CMC Registration Authority (RA) purpose (id-kp-cmcRA with OID 220.127.116.11.18.104.22.168.28) in the extendedKeyUsage field. [conditional]
-- Client certificates presented for TLS shall have the Client Authentication purpose (id-kp 2 with OID 22.214.171.124.126.96.36.199.2) in the extendedKeyUsage field.
-- OCSP certificates presented for OCSP responses shall have the OCSP Signing purpose (id-kp 9 with OID 188.8.131.52.184.108.40.206.9) in the extendedKeyUsage field. [conditional]
Test 63 is modified as follows:
RFC 5759 has been replaced by RFC 8603 per RFC 8423.