NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0354:  MDM CRLsign exceptions

Publication Date
2018.09.20

Protection Profiles
PP_MDM_V3.0

Other References
FIA_X509_EXT.1

Issue Description

FIA_X509_EXT.1 Test 4 indicates "If CRL is selected, the evaluator shall configure the CA to sign a CRL with a certificate that does not have the cRLsign key usage bit set, and verify that validation of the CRL fails." There are some root CAs that do not contain a key usage extension.

Resolution

Test 4 is replaced as follows:

Test 4: [conditional] If OCSP is selected, the evaluator shall configure the OCSP server or use a man-in-the-middle tool to present a certificate that does not have the OCSP signing purpose and verify that validation of the OCSP response fails. If CRL is selected and the CA contains a Key Usage extension, the evaluator shall configure the CA to sign a CRL with a certificate that does not have the cRLsign key usage bit set, and verify that validation of the CRL fails. If the CA is a root CA with no Key Usage extension, this test is not performed.

Justification

It is acceptable to allow root CAs (trust anchors) to issue CRLs without the root CA certificate containing KeyUsage. However, if a root CA certificate contains the KeyUsage extension, it must have the cRLSign bit set.

 
 
Site Map              Contact Us              Home