Application notes for FCS_TLSS_EXT.1.1, FCS_TLSS_EXT.2.1, and FCS_TLSS_EXT.2.3 have references that point to missing or incorrect elements.  FMT_SMR was removed in SV PP v1.1 but is still listed in audit table.

07/30/2019: This TD has been archived and superseded by TD0431.

Make the following corrections:

1.       FCS_TLSS_EXT.1.1 – change 3^rd paragraph in app note to following:

 ·        (Current)If any ciphersuites are selected using ECDHE, then FCS_TLSS_EXT.1.5 is required.

·         (New)If any ciphersuites are selected using ECDHE, then FCS_TLSS_EXT.1.3 is required.

2.       FCS_TLSS_EXT.2.1 – change 3^rd paragraph in app note to following:

(Current) If any ciphersuites are selected using ECDHE, then FCS_TLSS_EXT.1.5 is required.

(New) If any ciphersuites are selected using ECDHE, then FCS_TLSS_EXT.2.3 is required.

3.       FCS_TLSS_EXT.2.3 – change app note to following:

·         (Current) If the ST lists a DHE or ECDHE ciphersuite in FCS_TLSS_EXT.1.1, the ST must include the Diffie-Hellman or NIST curves selection in the requirement.  FMT_SMF.1 requires the configuration of the key agreement parameters in order to establish the security strength of the TLS connection.

·         (New) If the ST lists a DHE or ECDHE ciphersuite in FCS_TLSS_EXT.2.1, the ST must include the Diffie-Hellman or NIST curves selection in the requirement. FMT_MOF_EXT.1.2 in the selected EP addresses  the "Ability to configure the cryptographic functionality" which allows for the configuration of the key agreement parameters in order to establish the security strength of the TLS connection. 

     4. FCS_TLSS_EXT.1.3 - change app note to following:

(Current) If the ST lists a DHE or ECDHE ciphersuite in FCS_TLSS_EXT.1.1, the ST must include the Diffie-Hellman or NIST curves selection in the requirement.  FMT_SMF.1 requires the configuration of the key agreement parameters in order to establish the security strength of the TLS connection.

     (New) If the ST lists a DHE or ECDHE ciphersuite in FCS_TLSS_EXT.1.1, the ST must include the Diffie-Hellman or NIST curves selection in the requirement.  FMT_MOF_EXT.1.2 in the selected EP addresses the "Ability to configure the cryptographic functionality" which allows for the configuration of the key agreement parameters in order to establish the security strength of the TLS connection.

     5. FCS_IPSEC_EXT.1.15 - change 3rd paragraph in app note to following:

(Current) The configuration of the peer reference identifier is addressed by FMT_SMF.1.1.

(New) The configuration of the peer reference identifier is addressed by FMT_MOF_EXT.1.2 in the selected EP.

6. FTP_ITC_EXT.1.1 - in first bullet, add FCS_TLSC_EXT.2 as a selection

(Current) TLS as conforming to [selection:FCS_TLSC_EXT.1,FCS_TLSS_EXT.1,FCS_TLSS_EXT.2]

(New) TLS as conforming to [selection:FCS_TLSC_EXT.1, FCS_TLSC_EXT.2, FCS_TLSS_EXT.1, FCS_TLSS_EXT.2]

7. In Table 1: Auditable Events - remove the FMT_SMR.2 row.

8. In Table 4: Auditable Events - add the following rows for FCS_TLSC_EXT.2 and FCS_TLSS_EXT.1:

4. 

4

Corrections made to ensure references in app notes pointed to correct SFR elements.  In some cases, the elements referred to were not in the PP.  An SFR in the audit table was removed since the SFR was no longer in the PP after an earlier revision.