Provide the location of the issue
FCS_DTLSC_EXT.1.5 and FCS_TLSC_EXT.1.5
What is the correction request for the cPP? Please describe.
The SD requirements specify that [D]TLS 1.2 clients do not need to present the signature_algorithms extension. If a client does not include the signature_algorithms extension then it will use SHA-1 as the hash function (page 47, RFC 5246). NDcPP v3.0 deprecated use of SHA-1 and there are no signature algorithms that required use of SHA-1. In other words, the [D]TLS 1.2 clients need to include the signature_algorithms extension.
Describe the solution you'd like
FCS_DTLSC_EXT.1.5 - TSS. Remove the following:
[Conditional]:If “not present the signature_algorithms extension” is selected, the evaluator shall verify that the TSS describes support for at least one RSA ciphersuite, RSA in FCS_COP.1/SigGen, and SHA-1 for FCS_COP.1/Hash.
FCS_DTLSC_EXT.1.5 - Tests:
Remove Test 1
Renumber Tests 2 and 3 to Tests 1 and 2
FCS_TLSC_EXT.1.5 - TSS. Remove the following:
Remove: [Conditional]:If “not present the signature_algorithms extension” is selected, the evaluator shall verify that the TSS describes support for at least one RSA ciphersuite, RSA in FCS_COP.1/SigGen, and SHA-1 for FCS_COP.1/Hash.
FCS_TLSC_EXT.1.5 - Tests:
Remove Test 1
Renumber Tests 2 and 3 to Tests 1 and 2
Describe alternatives you've considered
Going with the requirements as defined in the TLS Functional Package.
Provide the location of the issue FCS_DTLSC_EXT.1.5 and FCS_TLSC_EXT.1.5
What is the correction request for the cPP? Please describe. The SD requirements specify that [D]TLS 1.2 clients do not need to present the signature_algorithms extension. If a client does not include the signature_algorithms extension then it will use SHA-1 as the hash function (page 47, RFC 5246). NDcPP v3.0 deprecated use of SHA-1 and there are no signature algorithms that required use of SHA-1. In other words, the [D]TLS 1.2 clients need to include the signature_algorithms extension.
Describe the solution you'd like FCS_DTLSC_EXT.1.5 - TSS. Remove the following: [Conditional]:If “not present the signature_algorithms extension” is selected, the evaluator shall verify that the TSS describes support for at least one RSA ciphersuite, RSA in FCS_COP.1/SigGen, and SHA-1 for FCS_COP.1/Hash.
FCS_DTLSC_EXT.1.5 - Tests: Remove Test 1 Renumber Tests 2 and 3 to Tests 1 and 2
FCS_TLSC_EXT.1.5 - TSS. Remove the following: Remove: [Conditional]:If “not present the signature_algorithms extension” is selected, the evaluator shall verify that the TSS describes support for at least one RSA ciphersuite, RSA in FCS_COP.1/SigGen, and SHA-1 for FCS_COP.1/Hash.
FCS_TLSC_EXT.1.5 - Tests: Remove Test 1 Renumber Tests 2 and 3 to Tests 1 and 2
Describe alternatives you've considered Going with the requirements as defined in the TLS Functional Package.