TD0727: Update to FCS_COP.1/SIGN for CNSA 1.0 compliance
GPOS PP 4.3 FCS_COP.1/SIGN allows support for RSA signatures of 2048-bit and greater. If the goal is for GPOS PP 4.3 to be CNSA 1.0 compliant, the RSA minimum signature key size should be 3072-bit.
FCS_COP.1/SIGN in Section 5.1.1 of PP_OS_4.3 is modified as follows, with strikethrough in red highlighting denoting deletion and underline in green highlighting denoting addition:
The OS shall perform [cryptographic signature services (generation and
verification)] in accordance with a specified cryptographic algorithm [selection:
- RSA schemes using cryptographic key sizes of 20483072-bit or greater
that meet the following: FIPS PUB 186-4, "Digital Signature
Standard (DSS)", Section 4
- ECDSA schemes using "NIST curves" P-384 and [selection: P-521, no
other curves ] that meet the following: FIPS PUB 186-4, "Digital
Signature Standard (DSS)", Section 5
] and cryptographic key sizes [assignment: cryptographic algorithm] that meet
the following: [assignment: list of standards].
See issue description.