Tool to verify conformance to the PIV data model per most recent releases of FIPS 201 and associated publications
Other
25
stars
14
forks
source link
Key Management Certificate and Card Authentication Certificates are not checking that the expiration date does not go beyond the Card Expiration Date #304
@dbcolston - reviewing 800-85B-4 it seems as if expiration comparison test cases only exist for the PIV Authentication and Digital Signature certificates.
AS07.01.15: The expiration of the PIV authentication certificate is not beyond the expiration of the CHUID.
AS07.02.11: The expiration of the digital signature certificate is not beyond the expiration of the CHUID.
AS04.03.01 indicates the CHUID expiration date shall be the same as printed on the card - limiting the expiration of the certificates above to the card's expiration.
We'll check with colleagues at NIST to learn if future revisions of 800-85B will extend the validity checks to other types of certificates found on PIV cards - and have tagged this issue with the "enhancement" label for consideration in future updates of the tool. I can't think of a scenario where we'd want any of the certificates' validity to extend beyond the card's expiration.
@dbcolston - reviewing 800-85B-4 it seems as if expiration comparison test cases only exist for the PIV Authentication and Digital Signature certificates.
AS07.01.15: The expiration of the PIV authentication certificate is not beyond the expiration of the CHUID.AS07.02.11: The expiration of the digital signature certificate is not beyond the expiration of the CHUID.AS04.03.01 indicates the CHUID expiration date shall be the same as printed on the card - limiting the expiration of the certificates above to the card's expiration.
We'll check with colleagues at NIST to learn if future revisions of 800-85B will extend the validity checks to other types of certificates found on PIV cards - and have tagged this issue with the "enhancement" label for consideration in future updates of the tool. I can't think of a scenario where we'd want any of the certificates' validity to extend beyond the card's expiration.
Thanks for your feedback!