NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0726:  Corrections to (D)TLSS SFRs in TLS 1.1 FP

Publication Date
2023.03.17

Protection Profiles
PKG_TLS_V1.1

Other References
FCS_DTLSS_EXT.1.4, FCS_TLSS_EXT.1.3

Issue Description

In TLS 1.1 Functional Package (FP), the following discrepancies were uncovered in FCS_DTLS_EXT.1.4 and FCS_TLSS_EXT.1.3:

1) The last selection item is "no other key establishment methods". This is not a valid selection item because the ST author has to pick at least one key establishment method.  If this text is to stay, it needs to come after the big selection (e.g.,  ...] and no other key establishment methods). This text is not present in the corresponding SFR elements in TLS 2.0 FP.

2) Most of the other selection items contain selections in which the last item is "no other ___". These are not valid selection items because the ST author must pick at least one of the other items. If this text is to stay, it needs to come after the selection (e.g.,  RSA with size [selection: 2048 bits, 3072 bits, 4096 bits] and no other sizes] ,).  This is what was done in the corresponding SFR elements in TLS 2.0 FP.

Resolution

FCS_TLSS_EXT.1.3 in Appendix B of PKG_TLS_V1.1 is modified as follows, with strikethroughs in red highlighting denoting deletion and underlines in green highlighting denoting additions:

FCS_TLSS_EXT.1.3

The product shall perform key establishment for TLS using [selection:

- RSA with size [selection: 2048 bits, 3072 bits, 4096 bits, no other sizes] and no other sizes,

- Diffie-Hellman parameters with size [selection: 2048 bits, 3072 bits, 4096 bits, 6144

   bits, 8192 bits, no other sizes] and no other sizes,

- Diffie-Hellman groups [selection: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144,

   ffdhe8192, no other groups] and no other groups,

- ECDHE parameters using elliptic curves [selection: secp256r1, secp384r1, secp521r1]

   and no other curves ,

no other key establishment methods

].

FCS_DTLSS_EXT.1.4 in Appendix B of PKG_TLS_V1.1 is modified as follows, with strikethroughs in red highlighting denoting deletion and underlines in green highlighting denoting additions:

FCS_DTLSS_EXT.1.4

The product shall perform key establishment for DTLS using [selection:

- RSA with size [selection: 2048 bits, 3072 bits, 4096 bits, no other sizes] and no other sizes,

- Diffie-Hellman parameters with size [selection: 2048 bits, 3072 bits, 4096 bits, 6144

   bits, 8192 bits, no other size] and no other sizes,

- Diffie-Hellman groups [selection: ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144,

   ffdhe8192, no other groupsand no other groups,

- ECDHE parameters using elliptic curves [selection: secp256r1, secp384r1, secp521r1]

  and no other curves ,

no other key establishment methods

].

Justification

See issue description.

 
 
Site Map              Contact Us              Home