EAP-TLS dependencies

[jfisherbah]

FCS_EAP-TLS_EXT.1 currently re-defines a number of requirements that the NDcPP and TLS Package already define for TLS. For comparison, the MacSec EP defines an FCS_EAP-TLS_EXT.1 component that only has two elements whereas the Auth Server's version of the component defines seven.

Should the Auth Server Module's version of FCS_EAP-TLS_EXT.1 be updated to eliminate SFR elements that may be redundant when the relevant Base-PP TLS requirements are inherited?

[ajlaing]

We should try to be consistent between PPs when defining extended SFR. FCS_EAP_TLS_EXT.1 instances should be reviewed and updated accordingly. Both seem to be redefining the TLS SFRs, it would seem that referencing TLS SFR from the base (or the package) would help attain this consistency. Unless there is a need for separate TLS requirements for EAP-TLS, this should be the preferred approach. EAP-TLS (EAP-TTLS) SFR should focus on EAP- specific security functionality (using mutual authenticated TLS to authenticate user, validate the certificate to specific trust stores, match identifiers to determine user authorization/accounting, provide accept/reject messages accordingly...

[jfisherbah]

FCS_EAP-TLS_EXT.1 in auth server is still significantly different from the same SFR in MACsec (not saying that's necessarily a problem) but it's still worth investigating why there are differences.