NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0045:  Removal of FDP_OCSP_EXT.1.2 in CAPP

Publication Date
2015.05.20

Protection Profiles
PP_CA_v1.0

Other References
PP_CA_v1.0

Issue Description

FDP_OCSP_EXT.1.2 specifies elements for OCSP formats that do not conform to RFC 6960

Resolution

1) The following requirement is being removed from the CAPP:

FDP_OCSP_EXT.1.2 For formats other than those specified by IETF RFC 6960, the following elements shall be present:

a) Version

b) Signature algorithm field

c) Time at which status is known to be correct

d) Time at which response was signed

e) Time at which next response will be available

 

2) Removing “ [assignment: other OCSP standards]], no other certificate status information]” from FCO_NRO_EXT.2.2 requirement.

The revised requirement reads: FCO_NRO_EXT.2.2: The TSF shall provide proof of origin for certificate status information it issues in accordance with the digital signature requirements in [selection: CRLs (RFC 5280), OCSP (RFC 6960)] and FCS_COP.1(2).

Addition to Application Note: Implementations additionally meeting a specific OCSP profile such as RFC 5019 should be interoperable with a client fully compliant with RFC 6960. In future versions of this document, SHA-1 may be removed as an option, at which point the OCSP Profile defined in RFC 5019 will be considered obsolete.

3) Removing “the OCSP standard as defined by [selection: RFC 6960, other OCSP standard]]” from the FDP_CSI_EXT.1.1 requirement.

The revised requirement reads: FDP_CSI_EXT.1.1 The TSF shall provide certificate status information whose format complies with [selection: ITU-T Recommendation X.509v1 CRL, ITU-T Recommendation X.509v2 CRL, RFC 6960].

Addition to Application Note: Implementations additionally meeting a specific OCSP profile such as RFC 5019 should be interoperable with a client fully compliant with RFC 6960. In future versions of this document, SHA-1 may be removed as an option, at which point the OCSP Profile defined in RFC 5019 will be considered obsolete.

Justification

Non-conformance with the RFC is not allowed

 
 
Site Map              Contact Us              Home