NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0399:  NIT Technical Decision for Manual installation of CRL (FIA_X509_EXT.2)

Publication Date
2019.02.24

Protection Profiles
CPP_ND_V2.0E, CPP_ND_V2.1

Other References
FIA_X509_EXT.2, ND SD V2.0E, ND SD V2.1

Issue Description

The NIT has issued a technical decision for Manual installation of CRL (FIA_X509_EXT.2).

 

Resolution

Updated 3/18/2019 to also apply to NDcPP V2.1 and ND SD V2.1

 

 

The NIT believes that the current wording is appropriate and that the reference to an IT entity correctly expresses the intention to exclude reliance solely on manual update of CRLs. No change to the text is therefore proposed. The cPP does not prohibit the support for locally stored CRLs that are manually loaded into the TOE. But for a TOE to be compliant with this cPP the TOE needs to support certificate validity checking from a dynamically updated source like downloading a CRL from a CRL server or performing a lookup using OCSP.
Note: This does not require that the TOE is connected to the internet or has CA-direct communications (e.g. the dynamically updated source may be hosted on a private network).

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201820rev3.pdf

Justification

The NIT believes that the current wording is appropriate and that the reference to an IT entity correctly expresses the intention to exclude reliance solely on manual update of CRLs. No change to the text is therefore proposed.


An automatic process for loading CRLs must be provided by the TOE. It may be asynchronous and populate a CRL cache.


Optionally, a manual method for uploading CRLs may be provided to supplement the automatic updating of the CRLs.


Note: This does not require that the TOE is connected to the internet or has CA-direct communications (e.g. the source(s) for the automatic update may be hosted on a private network).
As per RFI201630, use of X.509 certificates is optional for FPT_TUD_EXT.1. Use of X.509 certificates is also optional for use in FPT_TST_EXT.1.

 
 
Site Map              Contact Us              Home