Netscape Certificate Management System (CMS) provides a powerful security framework to guarantee the identity of users and ensure privacy of communications. Certificate Management System issues and manages X.509v3 certificates needed to handle strong authentication, single sign-on and secure communications. Certificate Management System handles all the major functions around the certificate lifecycle simplifying enterprise-wide deployment and adoption. Customizable registration allows Netscape Certificate Management System to adapt to virtually any enterprise security policy.
\r\nThe Netscape Certificate Management System 6.1 Service Pack 1 Target of Evaluation (TOE) is a Java application. The CMS TOE is designed to integrate with a directory server such as Netscape Directory Server and a HTTP engine such as Netscape Enterprise server to provide an internal data store and a network interface, respectively. The CMS TOE utilizes NSS (Netscape Network Security Services) and JSS (Netscape Java Security Services) libraries to support the use of hardware devices that perform standards-oriented cryptographic operations. All of the components represent a CMS system. A CMS system is designed to be hosted within a secure operating system (Solaris 8.0 was used for evaluation) and to be connected to networks, including the Internet, and to offer these services using standard HTTP/SSL protocols.
\r\nCMS is designed to be installed in one of four configurations: Certification Authority (CA), Registration Authority (RA), Online Certificate Status Protocol (OCSP) Responder, or Data Recovery Manager (DRM or KRA). The primary difference between these configurations is the set of services offered to users.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Netscape Certificate Management System 6.1 Service Pack 1 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.1 and National and International Interpretations effective on May 10, 2002. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 with the additional augmentation of the CC Flaw Remediation (ALC_FLR.2) family of assurance requirements. The product, when configured as specified in the Netscape Certificate Management System Guidance Documentation, dated March 6, 2003, satisfies all of the security functional requirements stated in the Netscape Certificate Management System 6.1 Service Pack 1 Security Target (Version 1.0). One validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in March 2003. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-03-0036, dated 17 March 2003) prepared by CCEVS.
","environmental_strengths":"CMS 6.1 is a certificate issuing and management product that offers such services as Certificate Enrollment, Certificate Renewal, Certificate Revocation, Certificate Retrieval, Request Queue Management, Certification and Certificate Revocation List (CRL) Management, Remote Server Request Handling, Configuration Management, Key Archival and Retrieval Service, and Online Certificate Status Protocol (OCSP) Response Service. CMS supports eight security functions:
\r\n