TD0692: OSPP 4.3 Conditional FIA_X509_EXT.1 testing
Publication Date
2022.12.13
Protection Profiles
PP_OS_V4.3
Other References
FIA_X509_EXT.1.1
Issue Description
In the new OSPP v4.3, test cases 73 and 74 should be marked as conditional on whether X.509 certificates are claimed as an authentication mechanism defined in FIA_UAU.5. Currently they appear to be mandatory test cases. Resolution
FIA_X509_EXT.1.1 Tests 73 and 74 in Section 5.1.6 of PP_OS_V4.3 are modified as follows, with underlines denoting additions: [Conditional, to be performed if "authentication based on X.509 certificates" is selected in FIA_UAU.5]: The evaluator will generate an X.509v3 certificate for a user with the Client Authentication Extended Key Usage field set. The evaluator will provision the OS for authentication with the X.509v3 certificate. The evaluator will ensure that the certificates are validated by the OS as per FIA_X509_EXT.1.1 and then conduct the following two tests: Test 73: The evaluator will attempt to authenticate to the OS using the X.509v3 certificate. The evaluator will ensure that the authentication attempt is successful. Test 74: The evaluator will generate a second certificate identical to the first except for the public key and any values derived from the public key. The evaluator will attempt to authenticate to the OS with this certificate. The evaluator will ensure that the authentication attempt is unsuccessful. Justification
See issue description. |