NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0232:  FIA_X509_EXT.1.1 - Compliance to RFC5759 and RFC5280 for using CRLs

Publication Date
2017.08.28

Protection Profiles
PP_MDM_V3.0

Other References
FIA_X509_EXT.1.1

Issue Description

In MDM v3.0, FIA_X509_EXT.1.1 requires that any PP compliance using CRLs requires compliance to RFC 5759 (bullet #4) which is specifically written around Suite B cryptography and requires the use of ECDSA.  RFC 5280 defines the use of CRLs, their signatures, etc. without mandating ECDSA.

Resolution

FIA_X509_EXT.1.1, Bullet #4 is replaced as follows to allow compliance to RFC 5280 for CRLs:

·         The TSF shall validate the revocation status of the certificate using [selection: the Online Certificate Status Protocol (OCSP) as specified in RFC 2560, a Certificate Revocation List (CRL) as specified in RFC 5280 Section 6.3, a Certificate Revocation List (CRL) as specified in RFC 5759 Section 5].

Justification

The MDM PP does not require elliptic curve; it is optional. Therefore, mandating EC for CRL signing is inconsistent.

This aligns with TD0217 & TD0169.

 
 
Site Map              Contact Us              Home