NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0391:  Intermediate certificate requirements

Publication Date
2019.02.24

Protection Profiles
PP_MDM_V3.0

Other References
FIA_X509_EXT.1.1

Issue Description

The Test Assurance Activity for FIA_X509_EXT.1.1 states "The evaluator shall create a chain of at least four certificates: the node certificate to be tested, two Intermediate CAs, and the self-signed Root CA."  The SFR itself does not require two intermediate CAs, and having multiple intermediate CAs does not provide additonal security.

Resolution

The introductory paragraph for the Test Assurance Activity shall be modified as follows:

The tests described must be performed in conjunction with the other certificate services assurance activities, including each of the functions in FIA_X509_EXT.2.1. The tests for the extendedKeyUsage rules are performed in conjunction with the uses that require those rules. The evaluator shall create a chain of at least four three certificates: the node certificate to be tested, two an Intermediate CAs, and the self-signed Root CA.

Justification

There must be at least one intermediate CA because the self-signed root CA should not be issuing certs.

 
 
Site Map              Contact Us              Home