[cPP Comment 14, 15] TLS mutual authentication and DTLS mutual authentication

[kr15tyk]

Location: NDcPP: Appendix A, B

Comment 14: Need to better explain when (D)TLS requirements are selection-based versus optional. Suggested Change: Consider making renegotiation protection (including TLS 1.3 rejection) selection based (if (D)TLS 1.2 is claimed – as is, or if (D)TLS is claimed if modified to as suggested below). Why wasn’t this selection based for TLS mutual authentication and DTLS mutual authentication? What was the reasoning?

Comment 15: Why wasn’t this selection based for TLS mutual authentication and DTLS mutual authentication? What was the reasoning? Suggested Change: Discuss with the appropriate people which may result in a suggested change from NIAP.

[kenji-lightship]

Comment 14: Sounds reasonable.

Comment 15: I think this was largely from following and updating the NDcPP2.2e/TLS1.2 requirements. I don't think we should make this change in the editorial phase since it sounds like it requires adding selections to FCS_(D)TLSEXT.1 SFRs, so FCS(D)TLSEXT.2 SFRs can be moved from Optional to selection-based. I don't see a fundamental difference since the FCS(D)TLS*_EXT.1 selection would effectively be Optional.

[sheepbaron]

For both Comment 14 and 15:

1. Since FAU_STG_EXT.1 is mandatory, it seems to me that FAU_STG.1 should be mandatory as well.

2. FAU_STG_EXT.1.2; FAU_STG_EXT.3: can remain Optional SFRs.

3. FPT_ITT.1, FTP_TRP.1/Join, FCO_CPC_EXT.1 & FIA_X509_EXT.1/ITT should be changed to selection-based SFRs based on the following selection logic chain:

If either of the following are selected in FAU_STG_EXT.1.2[mandatory SFR]:

• "The TOE shall be a distributed TOE that stores audit data on the following TOE components: [assignment: identification of TOE components],"
• "The TOE shall be a distributed TOE with storage of audit data provided externally for the following TOE components: [assignment: list of TOE components that do not store audit data locally and the other TOE components to which they transmit their generated audit data].";

then FCO_CPC_EXT.1 must be selected.

FPT_ITT.1 and FTP_TRP.1/Join are selection options within FCO_CPC_EXT.1.

If FPT_ITT.1 is selected, and then a protocol which requires X.509 is selected within FPT_ITT.1, then FIA_X509_EXT.1/ITT is required.

5. If FCS_DTLSC_EXT.2 is to be made Selection-based instead of remaining Optional, then an SFR in FCS_DTLSC_EXT.1 must be modified or added to include a selection option for mutual authentication. Implications: Making mutual auth selection-based would make mutual auth required to be selected if the TOE supports it as apposed to mutual auth being optionally (i.e. ST authors discretion) included if the TOE supports mutual auth.

This rationale also applies for FCS_TLSC_EXT.2.