NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0196:  Clarification for FCO_NRO_EXT.2.5 when selecting EST

Publication Date
2017.05.04

Protection Profiles
PP_CA_v2.0

Other References
FCO_NRO_EXT.2.5

Issue Description

In the PP, FCO_NRO_EXT.2.5 states ‘The TSF shall require and verify proof of origin for revocation requests it receives in accordance with [selection: CMC using mechanisms in accordance with FIA_CMC_EXT.1, EST in accordance with FIA_EST_EXT.1]”

RFC 7030, which defines EST, does not include any mechanisms for performing revocation in the simple enrollment specification required by FIA_EST_EXT.1.  

Resolution

For TOEs that support EST, the following notes are added to the Application Note and Assurance Activities for FCO_NRO_EXT.2 Certificate Based Proof of Origin.

App Note:

A TOE that supports both EST and CMC and can obtain revocation requests via one of the protocols would be in compliance with FCO_NRO_EXT.2.5.

 

TSS

For TOEs that only support EST, and do not support revocation requests under either CMC or EST, the TSS must describe the mechanism used to determine whether to revoke certificates.

 

Guidance

For TOEs that only support EST, and do not support revocation requests under either CMC or EST, the evaluator shall examine the guidance to ensure it describes support privileged user functionality as part of this mechanism.

Justification

RFC 7030 allows for full pki requests that would include revocation requests under CMC. However, the support for full pki requests/CMC is optional. The CA is still required to provide revocation information, but without certificate revocation requests supported under one or both of CMC/EST, the subject or an authorized entity has no standard mechanism to request revocation.

 
 
Site Map              Contact Us              Home