NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0125:  NIT Technical Decision for Checking validity of peer certificates for HTTPS servers

Publication Date
2016.11.15

Protection Profiles
CPP_FW_V1.0, CPP_ND_V1.0

Other References
ND SD v1.0, FCS_HTTPS_EXT.1.3

Issue Description

The Network Interpretations Team (NIT) has issued a technical decision regarding checking validity of peer certificates for HTTPS servers in the NDcPP v1.0 and FW cPP v1.0.

Resolution

To align with the NIT interpretation #36, FCS_HTTPS_EXT.1.3 is moved to selection-based since the requirement to check peer certificate validity does not apply to HTTPS servers which do not use mutual authentication.

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI36.pdf.

FCS_HTTPS_EXT.1.3, the related Application Note, and the Supporting Document are modified as follows:

FCS_HTTPS_EXT.1.3 The TSF shall establish the connection only if [selection: the peer presents a valid certificate during handshake, the peer initiates handshake].

Application Note 51

Select ‘the peer presents a valid certificate’ if the TOE acts as a client, or if mutual certificate-based authentication is enforced when the TOE acts as a client or a server. Certificate validity must be determined according to FIA_X509_EXT.1/Rev if HTTPS is used for FPT_TRP.1/Admin or FTP_ITC.1, and on FIA_X509_EXT.1/ITT if HTTPS is used for FPT_ITT.1.

Select ‘the peer initiates handshake’ if the TOE acts as a server that does not enforce mutual certificate-based authentication. It is understood that in such cases peer authentication is achieved by other means.

The Supporting document should be modified as follows:

FCS_HTTPS_EXT.1 HTTPS Protocol

The following TSS requirement should be inserted above the existing tests for FCS_HTTPS_EXT.1.

TSS

FCS_HTTPS_EXT.1.3

The evaluator shall check that the TSS describes how peer authentication is implemented when HTTPS protocol is used.

The Test 2 requirement in paragraph 117 should also be modified as follows:

117      If ‘the peer presents a valid certificate during handshake’ is selected in FCS_HTTPS_EXT.1.3, then certificate validity shall be tested in accordance with testing performed for FIA_X509_EXT.1 if HTTPS is used for FTP_TRP.1 or FTP_ITC.1.

Justification

See issue description.

 
 
Site Map              Contact Us              Home