The Network Interpretations Team (NIT) has issued a technical decision regarding the FIA_X509_EXT requirement in the NDcPP v1.0 and FW cPP v1.0 regarding the timing of verification of revocation status for X.509 certificates and clarifies if FIA_X509_EXT.1.1 mandates revocation checking for TOE's own certificates during protocol negotiation. This TD supersedes TD0093.

 "Agree, the revocation should not have to be performed during power-up self-tests. Disagree, if when loading a certificate for use and if certificates are being used to verify trusted updates."

When establishing a trusted channel, the TOE is not expected to verify the validity of its own X.509 certificate. The related FTP requirements refer to ‘peer certificate’ only. So the TOE only needs to verify the peer certificate in this case.

To align with the NIT interpretation #56, the cPP has been modified to add an application note for FIA_X509_EXT.1.1 and the SD has been updated with additional evaluation activities for FIA_X509_EXT.1, FPT_TST_EXT.2, FPT_TUD_EXT.2 as written below.

For further information, please see the NIT interpretation at:

https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI56.pdf.

Application Note for FIA_X509_EXT.1.1 (NDcPP):

The TSS shall describe when revocation checking is performed. It is expected that revocation checking is performed when a certificate is used in an authentication step and when performing trusted updates (if selected). It is not sufficient to verify the status of a X.509 certificate only when it's loaded onto the device.

It is not necessary to verify the revocation status of X.509 certificates during power-up self-tests (if the option for using X.509 certificates for self-testing is selected).

Addition to SD, chap. Section 2.3.5.1 - TSS FIA_X509_EXT.1:

“The evaluator shall ensure the TSS describes when the check of validity of the certificates takes place. It is expected that revocation checking is performed when a certificate is used in an authentication step and when performing trusted updates (if selected). It is not sufficient to verify the status of a X.509 certificate only when it's loaded onto the device.

It is not necessary to verify the revocation status of X.509 certificates during power-up self-tests (if the option for using X.509 certificates for self-testing is selected).

Addition to SD, chap. Section 2.3.5.2 – Tests FIA_X509_EXT.1 – general, before the description of tests:

“The evaluator shall demonstrate that checking the validity of a certificate is performed when a certificate is used in an authentication step or when performing trusted updates (if FPT_TUD_EXT.2 is selected). It is not sufficient to verify the status of a X.509 certificate only when it's loaded onto the device.

It is not necessary to verify the revocation status of X.509 certificates during power-up self-tests (if the option for using X.509 certificates for self-testing is selected).”

Addition to SD, chap. Section 2.5.4.1 – Tests FPT_TST_EXT.2:

“It is not necessary to verify the revocation status of X.509 certificates during power-up.”

Addition to SD, chap. Section 2.5.6.1 – TSS FPT_TUD_EXT.2:

"The TSS shall describe when revocation checking is performed. It is expected that revocation checking is performed when a certificate is used when performing trusted updates. It is not sufficient to verify the status of a X.509 certificate only when it's loaded onto the device.”

Addition to SD, chap. Section 2.5.6.3 – Tests FPT_TUD_EXT.2:

“The evaluator shall demonstrate that checking the validity of a certificate is performed when a certificate is used when performing trusted updates. It is not sufficient to verify the status of a X.509 certificate only when it's loaded onto the device.”

See Issue Description