Assurance Continuity - CertAgent v7.0
Date of Maintenance Completion: 2019.08.23CC Certificate Validation Report Assurance Activity
Product Type: Certificate Authority
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Certification Authorities Version 2.1
Original Evaluated TOE: 2018.06.01 - CertAgent v7.0
Please note: The above files are for the Original Evaluated TOE. Consequently, they do not refer to this maintained version, although they apply to the maintained version.
Security Target * Assurance Continuity Maintenance Report
Please note: This serves as an addendum to the VR for the Original Evaluated TOE.
* This is the Security Target (ST) associated with the latest Maintenance Release. To view previous STs for this TOE, click here.
Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product. Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate. Such assurance can only be gained through re-evaluation.
Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary. A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target. Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents.
Three TOE change were identified. These changes included an update to the version of Apache Tomcat; installation of Java; and a change to DN encoding.
The Apache Tomcat update, from version 8.5.23 to version 8.5.42, addresses published vulnerabilities in the server. A review of both the Tomcat Changelog and source code determined that the changes did not affect any TSF interfaces, SFR, or security functions and resulted in minor changes to the TOE.
The installer update no longer includes the Oracle JRE. Oracle JDK/JRE must be installed and maintained independently from the TOE. Additionally, the default DN encoding was changed to increase compatibility with products that support PrintableString.
A detailed description of each change and the associated impact and rationale was provided for all the TOE changes. The rationale provided supporting evidence to ensure that the changes were either not TOE security relevant or considered minor.
Two bug fixes were identified. These fixed impacted the sending of certificates issued by an intermediate CA and database size.
A detailed description of each fix and the associated impact and rationale was provided for all bug fixes. The rationale provided supporting evidence to ensure that the fixes either were not TOE security relevant or corrected minor issues.
Changes to Evaluation Documents:
The CC Guidance contains many updates related to the supported Java/JRE and the cc-mode installation. The document also indicates the following documents have been updated for this assurance maintenance.
Regression testing was performed on the TOE, using the same operational environments as the original evaluation testing and all have been reported as passing. The regression testing included new feature testing, change testing and additional other regressing testing.
Information Security Corporation