Closed kr15tyk closed 10 months ago
Comment 14: Sounds reasonable.
Comment 15: I think this was largely from following and updating the NDcPP2.2e/TLS1.2 requirements. I don't think we should make this change in the editorial phase since it sounds like it requires adding selections to FCS_(D)TLSEXT.1 SFRs, so FCS(D)TLSEXT.2 SFRs can be moved from Optional to selection-based. I don't see a fundamental difference since the FCS(D)TLS*_EXT.1 selection would effectively be Optional.
For both Comment 14 and 15:
Since FAU_STG_EXT.1 is mandatory, it seems to me that FAU_STG.1 should be mandatory as well.
FAU_STG_EXT.1.2; FAU_STG_EXT.3: can remain Optional SFRs.
FPT_ITT.1, FTP_TRP.1/Join, FCO_CPC_EXT.1 & FIA_X509_EXT.1/ITT should be changed to selection-based SFRs based on the following selection logic chain:
If either of the following are selected in FAU_STG_EXT.1.2[mandatory SFR]:
then FCO_CPC_EXT.1 must be selected.
FPT_ITT.1 and FTP_TRP.1/Join are selection options within FCO_CPC_EXT.1.
If FPT_ITT.1 is selected, and then a protocol which requires X.509 is selected within FPT_ITT.1, then FIA_X509_EXT.1/ITT is required.
This rationale also applies for FCS_TLSC_EXT.2.
Location: NDcPP: Appendix A, B
Comment 14: Need to better explain when (D)TLS requirements are selection-based versus optional. Suggested Change: Consider making renegotiation protection (including TLS 1.3 rejection) selection based (if (D)TLS 1.2 is claimed – as is, or if (D)TLS is claimed if modified to as suggested below). Why wasn’t this selection based for TLS mutual authentication and DTLS mutual authentication? What was the reasoning?
Comment 15: Why wasn’t this selection based for TLS mutual authentication and DTLS mutual authentication? What was the reasoning? Suggested Change: Discuss with the appropriate people which may result in a suggested change from NIAP.