Ryuichiro-Ohya-FX
commented
11 months ago To me, the proposed option seems not appropriate for this SFR. As describe in Application Note, this SFR is intended to be used to describe the behavior in the event that such a connection cannot be established based on the assumption CRL file was imported previously. And I think FIA_X509_EXT.1/Rev allows us to use OCSP or CRL indirectly. The proposed option seems to equal to the assumption FIA_X509_EXT.2.2 is based on. So, I don't think the proposed solution is not necessary.
A comment from Shin-ichi Inoue, ECSEC laboratory against HCD cPP v1.0: Section A.5.1.2 FIA_X509_EXT.2 X.509 Certificate Authentication, FIA_X509_EXT.2.2 - Usage of an offline CRL (CRL may be imported to TOE by USB memory) is not considered as an option in this SFR. In this case, TOE doesn’t need to establish a connection.
Solution: Add the option “allow the Administrator to import CRL file and perform OFFLINE-validation of a certificate” in the selection in this SFR.