NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - CertAgent v7.0 Patch Level 9.6

Date of Maintenance Completion:  2022.04.21

Product Type:    Certificate Authority

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Certification Authorities Version 2.1

Original Evaluated TOE:  2021.08.06 - CertAgent v7.0 Patch Level 9

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guide [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

For this Assurance Continuity, the version number of TOE changed from Version 7.0 patch level 9.0 to Version 7.0 patch level 9.6. The following paragraphs list the minor software changes and fixes made to the TOE during the maintenance cycle.

Software Changes

The developer reported the new features/changes to the product located in the tables below:

 

Added an option to accept non-critical basicConstraints and keyUsage extensions in intermediate CA certificates in path validation
  • Impact: Minor
  • Rationale: The feature allows customers to transition from an existing, non-compliant, PKI while enforcing other path validation requirements. Use of this feature is not allowed in the evaluated configuration. The option that places the TOE in the evaluated configuration remains enabled in the NIAP mode as documented in the common criteria guidance and the TOE functionality does not change from the validated TOE security functionality when the option to require critical basicConstraints and keyUsage extensions in intermediate CA certificates is enabled.
Added a new password-based EST RA role to act as a registration authority to enroll certificates for subscribers via EST using basic authentication
  • Impact: Minor
  • Rationale: The feature impacts FIA_ESTS_EXT.1.3.  There are no assurance activities associated with this change and only users with valid EST usernames and passwords can enroll a certificate via EST using basic authentication. This new EST RA option is disabled in the evaluated configuration and therefore does not impact the evaluated configuration.
Added an option to manage EST users via RA Management Interface (RAMI)
  • Impact: Minor
  • Rationale: This is a usability feature that which affects the security claims within the evaluation. However, this feature is not used in the evaluated configuration. RAMI management of EST users is disabled in NIAP compliant TOE which is the same as the RAMI setting in the validated TOE
Apache Tomcat has been updated from version 8.5.57 to version 8.5.73 to address published vulnerabilities and defects.
  • Impact: Minor
  • Rationale: The update was performed to address the vulnerabilities associated with the version of the software in the product
The Apache Log4j 2 library has been updated from version 2.13.3 to version 2.17.1
  • Impact: Minor
  • Rationale: The update was performed to address the vulnerabilities associated with the version of the software in the product
Google gson library has been updated from version 2.8.6 to version 2.8.9.
  • Impact: Minor
  • Rationale: The update was performed to address the vulnerabilities associated with the version of the software in the product
Updated Linux installation script to support Ubuntu
  • Impact: Minor
  • Rationale: This is a usability feature that does not affect any of the security claims within the evaluation. The vendor is not claiming Ubuntu to be equivalent to the validated platforms or that the TOE can be installed on Ubuntu in the evaluated configuration.
Updated EST User Self-Service Page
  • Impact: Minor
  • Rationale: This is a usability feature that does not affect any of the security claims within the evaluation. This feature allows for searching users by type instead of displaying users in two sections.
Added an evaluation option to the installer
  • Impact: Minor
  • Rationale: This is a usability feature that does not affect any of the security claims within the evaluation. The evaluation copy is the same as the activated copy except a red banner with “Evaluation Copy” will appear on the top of all web pages and “Evaluation Copy” will appear in the About page.
Updated License Agreement
  • Impact: Minor
  • Rationale: This is an update that does not affect any of the security claims within the evaluation. This change provides clarity to the agreement terms between the vendor and their customer.

 

Software Fixes

The following list of software fixes have been addressed as of Version 7.0 patch level 9.6 of the TOE. These have been included to verify that the TOE maintenance cycle is maintained to ensure all bugs and code fixes are addressed during the life cycle.

Corrected two rare crashes when signing objects
  • Impact: Minor
  • Rationale: This is a bug fix that impacts FCS_COP.1(2) and FCS_COP.1(1). However, it is an alteration to the processing logic to avoid the crash and has no relation to the actual cryptographic operation or the resulting values from the cryptographic operation.
Credentials, Certificate Issuance, Advanced Certificate Request pages are now displayed properly in Internet Explorer
  • Impact: Minor
  • Rationale: This is bug fix that does not change security functionality/affect any SFRs.
Special characters are now escaped properly in the HSQLDB script and Tomcat configuration file
  • Impact: Minor
  • Rationale: This is bug fix that does not change security functionality/affect any SFRs.
The TOE no longer shuts down after updating the EST user configuration 20 times
  • Impact: Minor
  • Rationale: This is bug fix that does not change security functionality/affect any SFRs.

 

 

Changes to Evaluation Documents:

The AGD document named “CertAgent Guidance for Common Criteria Evaluation” has been updated to version 2.7.1, April 7, 2022.

The Security Target document named “CertAgent Security Target for Common Criteria Evaluation” has been updated to version 4.3.2, April 8, 2022.

Vendor Information


Information Security Corporation
Jonathan Schulze-Hewett
847-405-0500
708-445-9705
schulze-hewett@infoseccorp.com

https://www.infoseccorp.com
Site Map              Contact Us              Home