FCS_STO_EXT.1 requires that Linux applications which rely on the platform for credential storage use Linux keyrings. The exact definition of what a Linux keyring is is unclear. There is a daemon application in the GNOME desktop environment called keyring, however this will not be a part of every Linux distribution. Platforms which have Java installed on them provide the option of using Java KeyStores to store certificates and private keys; these should be allowed as an alternative to the keyrings.

This TD supercedes TD0192.

The Application Note for FCS_STO_EXT.1.1 shall be modified as follows:

Application Note: This requirement ensures that persistent credentials (secret keys, PKI private keys, passwords, etc) are stored securely, and never persisted in cleartext form. Application developers are encouraged to use platform mechanisms for the secure storage of credentials. Depending on the platform that may include hardware-backed protection for credential storage. Application developers must choose a selection, or multiple selections, based on all credentials that the application stores. If not store any credentials is selected then the application must not store any credentials. If invoke the functionality provided by the platform to securely store is selected then the Application developer must closely review the AA for their platform and provide documentation indicating which platform mechanisms are used to store credentials. If implement functionality to securely store credentials is selected, then the following components must be included in the ST: FCS_COP.1(1). If other cryptographic operations are used to implement the secure storage of credentials, the corresponding requirements must be included in the ST.

If the OS is Linux and Java KeyStores are used to store credentials, implement functionality to securely store credentials must be selected.

See issue description.