Kirky-J
commented
1 year ago For section 3.2.1.1, a new paragraph has been created under the TSS section and the suggested language has been adapted and inserted. The paragraph now reads,
If selected, the TSS shall describe how certificate revocation checking is performed. It is expected that either OCSP or CRL revocation checking is performed when a certificate is presented to the TOE (e.g. during authentication).
For section 4.3.1.3, the suggested sentence has been inserted.
Fixed in editorial-SD-080223
Section 3.2.1.1 para 242 and Section 4.3.1.3 para 562
FIA_X509_EXT.1 “It is not sufficient to verify the status of a X.509 certificate only when it’s loaded onto the device.” Consider rewording with a positive statement (e.g., It is sufficient to …) Please also consider duplicating this text in the corresponding Application Note in the NDcPP as it clarifies the scope of a functional requirement.
Suggested change: It is expected that either OCSP or CRL revocation checking is performed when the certificate is presented to the TOE (e.g., during authentication). It is expected that the CRL is periodically and automatically uploaded.