NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0296:  Update to FCS_HTTPS_EXT.1.3

Publication Date
2018.03.14

Protection Profiles
PP_APP_v1.2

Other References
FCS_HTTPS_EXT.1.3

Issue Description

It is acceptable for an application software TOE to silently fail HTTPS certificate validation if the intent of the interface is for machine-to-machine communications and not user-initiated.

Resolution

FCS_HTTPS_EXT.1.3 is modified as follows:

The application shall [selection: not establish the connection, notify the user and not establish the connection, notify the user and request authorization to establish the connection ] if the peer certificate is deemed invalid.

This requirement depends upon selection in FTP_DIT_EXT.1.1.

Application Note: Validity is determined by the certificate path, the expiration date, and the revocation status in accordance with RFC 5280. If the communication is user-initiated, the application must select to notify the user.

Assurance Activity: Certificate validity shall be tested in accordance with testing performed for FIA_X509_EXT.1, and the evaluator shall perform the following test:

Test 1: The evaluator shall demonstrate that using a certificate without a valid certification path results in the selected action in the SFR.  If "notify the user" is selected in the SFR, then the evaluator shall also determine that the user is notified of the certificate validation failure. Using the administrative guidance, the evaluator shall then load a certificate or certificates to the Trust Anchor Database needed to validate the certificate to be used in the function, and demonstrate that the function succeeds. The evaluator then shall delete one of the certificates, and show that again, using a certificate without a valid certification path results in the selected action in the SFR, and if "notify the user" was selected in the SFR, the user is notified of the validation failure.

Justification

See issue description.

 
 
Site Map              Contact Us              Home