search

HCD-iTC / HCD-iTC-Template

MIT License
3 stars 1 forks source link

Minor comments from Shin-ichi Inoue (ecsec) against the Final Draft (v0.13) of the HCD cPP v1.0 #331

Open ansukert opened 2 years ago

ansukert commented 2 years ago

What is the change request for the cPP? Please describe. The following comments against the Final Draft (version 0.13) of the HCD cPP v1.0 were made by Shin-ichi Inoue (ecsec):

  1. Section 5.3.2 FCS_CKM.2 Cryptographic Key Establishment (Refinement), pg. 31: In Dependencies, FCS_CKM.1 Cryptographic Key Generation should be changed to “FCS_CKM.1/AKG Cryptographic Key Generation (Asymmetric Keys)”
  2. Section 5.3.5 FCS_COP.1/DataEncryption Cryptographic Operation (Data Encryption/Decryption), pg. 33: In Dependencies, FCS_CKM.1 Cryptographic Key Generation should be changed to “FCS_CKM.1/SKG Cryptographic Key Generation (Symmetric Keys)”
  3. Section A.2.2.1. FCS_TLSC_EXT.1 TLS Client Protocol Without Mutual Authentication, pg. 77: In Dependencies, FCS_CKM.1 Cryptographic Key Generation should be changed to “FCS_CKM.1/AKG Cryptographic Key Generation (Asymmetric Keys)” and “FCS_CKM.1/SKG Cryptographic Key Generation (Symmetric Keys)". Note that this same comment applies to the following additional SFRs: a. Section A.2.3.1 FCS_SSHC_EXT.1 SSH Client Protocol, pg. 81 b. Section A.2.7.1 FCS_DTLSC_EXT.1 DTLS Client Protocol Without Mutual Authentication, pg. 91 c. Section A.4.1.2 FIA_X509_EXT.2 X.509 Certificate Authentication, pg. 100 d. Section C.3.2.1 FCS_TLSC_EXT.2 TLS Client Support for Mutual Authentication, pg. 112 e. Section D.2.3.1 FCS_IPSEC_EXT.1 Extended: IPsec selected, pg. 119 f. Section D.2.10.1 FCS_SSHC_EXT.1, pg. 130 g. Section D.2.11.1 FCS_SSHS_EXT.1, pg. 132 h. Section D.2.12.1 FCS_TLSC_EXT.1 TLS Client Protocol without Mutual Authentication, pg. 133 i' Section D.2.12.2 FCS_TLSC_EXT.2 TLS Client Support for Mutual Authentication, pg. 134 j. Section D.2.13.1 FCS_TLSS_EXT.1 TLS Server Protocol without Mutual Authentication, pg.135 k. Section D.2.13.2 FCS_TLSS_EXT.2 TLS Server Support for Mutual Authentication, pg. 136 l. Section D.2.14.1 FCS_DTLSC_EXT.1 DTLS Client Protocol, pg. 137 m. Section D.2.14.2 FCS_DTLSC_EXT.2 DTLS Client Support for Mutual Authentication, pg. 138 n. Section D.2.15.1 FCS_DTLSS_EXT.1 DTLS Server Protocol, pg. 139 o. Section D.2.15.2 FCS_DTLSS_EXT.2 DTLS Server Support for Mutual Authentication, pg.140
  4. Section A.2.2. FCS_TLSC_EXT & FCS_TLSS_EXT TLS Protocol, FCS_TLSC_EXT.1.4, pg. 79: In Application Note, description of FCS_CKM.1 should be changed to “FCS_CKM.1/AKG”
  5. Section A.3.3. FCS_COP.1/CMAC Cryptographic Operation (for cipher-based message authentication), pg. 96: The description of selection may better to be modified as follows -- FCS_COP.1.1/CMAC Refinement: The TSF shall perform cryptographic [message authentication] in accordance with a specified cryptographic algorithm [selection:・・・] and cryptographic key sizes [assignment: *key size (in bits)] used in [selection: HMAC, AES, CMAC] that meet the following: [selection:・・・
  6. Section A.3.3. FCS_COP.1/CMAC Cryptographic Operation (for cipher-based message authentication), pg. 96: The description of “NIST SP800-38B” in selection should be one of selection item as follows --
    • ISO/IEC 9797-2:2011, Section 7 “MAC Algorithm 2”,
    • NIST SP 800-38B,
    • ISO/IEC 9797-1:2011, Section 7.6 “MAC Algorithm 5”・・・
  7. Section A.4.1.1. FIA_X509_EXT.1 X.509 Certificate Validation, pg. 100: In the last paragraph of Application Note, there is the description; “ if "X.509 Certificate" is selected in FPT_TUD_EXT.1.3.”, but FPT_TUD_EXT doesn’t have such selection. Note tat the Application Note in A.4.1.2, pg. 101 has the same comment.
  8. Section A.4.1.2. FIA_X509_EXT.2 X.509 Certificate Authentication, pg. 100: In Dependencies, FCS_CKM.1 Cryptographic Key Generation should be changed to “FCS_CKM.1/AKG Cryptographic Key Generation (Asymmetric Keys)”. Note that the same comment applies to Sections A.4.1.3 FIA_X509_EXT.3 X.509 Certificate Requests, pg. 103 and Section D.4.3.3 FIA_X509_EXT.3 X.509 Certificate Requests. pg. 149
  9. Section C.4.1. FCS_CKM.1/AKG Cryptographic Key Generation (Asymmetric Keys), pg. 114: In application Note, the description about “distributed TOE” may not be necessary, because MFP might not be distributed TOE. Actually, it should be deleted
  10. Section D.2.9. FCS_SNI_EXT Extended: Cryptographic Operation (Salt, Nonce, and Initialization Vector Generation), pg. 128: Drawing of Component levelling has better to be adjusted.
  11. Section D.2.10 FCS_SSHC_EXT.1 SSH Client, pg. 129: The chapter title “FCS_SSHC_EXT.1” should be “FCS_SSHC_EXT” as same as other chapter. Section D.2.11. FCS_SSHS_EXT.1 SSH Server Protocol, pg. 131, is same.

Describe the solution you'd like Address the comments as indicated above

Describe alternatives you've considered None

Additional context None

kwangwoo-lee commented 2 years ago
  1. accepted
  2. accepted
  3. accepted ...
  4. accepted ...
  5. To be continue in a next meeting.