NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0392:  FCS_TLSC_EXT.1.2 Wildcard Checking

Publication Date
2019.02.24

Protection Profiles
PP_APP_v1.2

Other References
FCS_TLSC_EXT.1.2

Issue Description

For FCS_TLSC_EXT.1.2, the TSS assurance activity and Test assurance activity are inconsistent with each other regarding wildcards and IP addresses.

  • FCS_TLSC_EXT.1.2 requires the application to verify the presented identifier according to RFC 6125. RFC 6125 says support for wildcards is optional and does not allow for using an IP address as the reference identifier.
  • The Application Note says, “support for use of IP addresses…may be supported.”
  • The TSS the Assurance Activity implies wildcard checking is optional and that IP addresses may be supported by saying, “TSS describes…whether IP addresses and wildcards are supported.”
  • The Test Assurance Activity requires support for wildcards (in Test 5) and requires testing wildcards in the leftmost position of IP addresses if IP addresses are supported.
Resolution

Test 5 for FCS_TLSC_EXT.1.2 shall be modified as follows (underlined text is new):

Test 5: The evaluator shall perform the following wildcard tests with each supported type of reference identifier. The support for wildcards is intended to be optional. If wildcards are supported, the first, second, and third tests below shall be executed. If wildcards are not supported, then the fourth test below shall be executed.


Test 5.1: [conditional]: If wildcards are supported, the evaluator shall present a server certificate containing a wildcard that is not in the left-most label of the presented identifier (e.g. foo.*.example.com) and verify that the connection fails.

Test 5.2: [conditional]: If wildcards are supported, the evaluator shall present a server certificate containing a wildcard in the left-most label but not preceding the public suffix (e.g. *.example.com). The evaluator shall configure the reference identifier with a single left-most label (e.g. foo.example.com) and verify that the connection succeeds. The evaluator shall configure the reference identifier without a leftmost label as in the certificate (e.g. example.com) and verify that the connection fails. The evaluator shall configure the reference identifier with two left-most labels (e.g. bar.foo.example.com) and verify that the connection fails.

Test 5.3: [conditional]: If wildcards are supported, the evaluator shall present a server certificate containing a wildcard in the left-most label immediately preceding the public suffix (e.g. *.com). The evaluator shall configure the reference identifier with a single left-most label (e.g. foo.com) and verify that the connection fails. The evaluator shall configure the reference identifier with two left-most labels (e.g. bar.foo.com) and verify that the connection fails.

Test 5.4: [conditional]: If wildcards are not supported, the evaluator shall present a server certificate containing a wildcard in the left-most label (e.g. *.example.com). The evaluator shall configure the reference identifier with a single left-most label (e.g. foo.example.com) and verify that the connection fails.

Justification

See issue description.

 
 
Site Map              Contact Us              Home