GSA / piv-conformance

Tool to verify conformance to the PIV data model per most recent releases of FIPS 201 and associated publications
Other
25 stars 14 forks source link

Key Management Certificate and Card Authentication Certificates are not checking that the expiration date does not go beyond the Card Expiration Date #304

Closed dbcolston closed 10 months ago

ryancdickson commented 3 years ago

@dbcolston - reviewing 800-85B-4 it seems as if expiration comparison test cases only exist for the PIV Authentication and Digital Signature certificates.


AS07.01.15: The expiration of the PIV authentication certificate is not beyond the expiration of the CHUID.

AS07.02.11: The expiration of the digital signature certificate is not beyond the expiration of the CHUID.


AS04.03.01 indicates the CHUID expiration date shall be the same as printed on the card - limiting the expiration of the certificates above to the card's expiration.

We'll check with colleagues at NIST to learn if future revisions of 800-85B will extend the validity checks to other types of certificates found on PIV cards - and have tagged this issue with the "enhancement" label for consideration in future updates of the tool. I can't think of a scenario where we'd want any of the certificates' validity to extend beyond the card's expiration.

Thanks for your feedback!