NIAP: View Technical Decision Details

NIAP

»»

Protection Profiles

»»

Technical Decisions

»»

View Details

Archived TD0256: NIT Technical Decision for Handling of TLS connections with and without mutual authentication

Publication Date

2017.11.13

Protection Profiles

CPP_ND_V1.0, CPP_ND_V2.0, CPP_ND_V2.0E

Other References

ND SD V1.0, ND SD V2.0, FCS_DTLSC_EXT.2.5 (ND SD V2.0), FCS_TLSC_EXT.2 (ND SD V1.0, ND SD V2.0)

Issue Description

The NIT has issued a technical decision for Handling of TLS connections with and without mutual authentication.

Resolution

For ND SD V1.0 and ND SD V2.0 FCS_TLSC_EXT.2.5 Test 1 shall therefore be modified as follows:

"The purpose of these tests is to confirm that the TOE appropriately handles connection to peer servers that support and do not support mutual authentication."

Test 1: The evaluator shall establish a connection to a peer server that is not configured for mutual authentication (i.e. does not send Server’s Certificate Request (type 13) message). The evaluator observes negotiation of a TLS channel and confirms that the TOE did not send Client’s Certificate message (type 11) during handshake.

Test 2: The evaluator shall establish a connection to a peer server with a shared trusted root that is configured for mutual authentication (i.e. it sends Server’s Certificate Request (type 13) message). The evaluator observes negotiation of a TLS channel and confirms that the TOE responds with a non-empty Client’s Certificate message (type 11) and Certificate Verify (type 15) messages."

For ND SD V2.0 this consideration applies not only to FCS_TLSC_EXT.2.5 but also FCS_DTLSC_EXT.2.5. FCS_DTLSC_EXT.2.5 Test 1 shall therefore be modified as follows:

"The purpose of these tests is to confirm that the TOE appropriately handles connection to peer servers that support and do not support mutual authentication."

Test 1: The evaluator shall establish a connection to a peer server that is not configured for mutual authentication (i.e. does not send Server’s Certificate Request (type 13) message). The evaluator observes negotiation of a DTLS channel and confirms that the TOE did not send Client’s Certificate message (type 11) during handshake.

Test 2: The evaluator shall establish a connection to a peer server with a shared trusted root that is configured for mutual authentication (i.e. it sends Server’s Certificate Request (type 13) message). The evaluator observes negotiation of a DTLS channel and confirms that the TOE responds with a non-empty Client’s Certificate message (type 11) and Certificate Verify (type 15) messages."

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201705.pdf

Justification

See issue description.

Site Map Contact Us Home