FTP_DIT_EXT.1 needs more clarity regarding when mutual authentication applies.

The App1.4 PP XML for FTP_DIT_EXT.1 has the “not transmit any”, “encrypt all transmitted”, “invoke platform … sensitive data”, and “invoke platform ….all data” tagged as exclusive selections, which makes sense given the SFR wording that indicates "all data".  However, the human readable versions (pdf/html) do not provide any indication that the intent is for these selections to be exclusive and STs have been generated selecting more than one selection.  (e.g., where the application may use TLSC to transmit data to a server, but the platform uses HTTPS to establish the initial selection.)

TD0655 is archived and replaced with the following:

FTP_DIT_EXT.1 in PP_APP_V1.4 is modified as follows, with red highlighted strikethroughs indicating deletions and yellow highlighted underlines indicating additions:

FTP_DIT_EXT.1 Protection of Data in Transit

FTP_DIT_EXT.1.1   The application shall [selection:

·       not transmit any [selection: data, sensitive data],

·       encrypt all transmitted [selection: sensitive data, data] with

[selection:

- HTTPS as a client in accordance with FCS_HTTPS_EXT.1/Client for [assignment: function(s)],

- HTTPS as a server in accordance with FCS_HTTPS_EXT.1/Server for [assignment: function(s)],

- HTTPS as a server using mutual authentication in accordance with FCS_HTTPS_EXT.2 for [assignment: function(s)],

- TLS as a server as defined in the Functional Package for TLS and also supports functionality for [selection: mutual

   authentication, none] for [assignment: function(s)],

- TLS as a client as defined in the Functional Package for TLS for [assignment: function(s)], 

- DTLS as a server as defined in the Functional Package for TLS and also supports functionality for [selection: mutual 

  authentication, none] for [assignment: function(s)],

- DTLS as a client as defined in the Functional Package for TLS for [assignment: function(s)],

- SSH as defined in the Functional Package for Secure Shell for [assignment: function(s)],

- IPsec as defined in the PP-Module for VPN Client for [assignment: function(s)]

],

·       invoke platform-provided functionality to encrypt all transmitted sensitive data with [selection: HTTPS, TLS, DTLS, SSH] for [assignment: function(s)],

·       invoke platform-provided functionality to encrypt all transmitted data with [selection: HTTPS, TLS, DTLS, SSH] for [assignment: function(s)]

] between itself and another trusted IT product.

Application Note: Encryption is not required for applications transmitting data that is not sensitive.

If "not transmit any" is selected, no other option can be selected.

If "not transmit any" is NOT selected, it is possible to select more than one of the other options to encrypt data for a specific cryptographic function (e.g., application encrypts management data using SSH AND application invokes platform-provided functionality to encrypt syslog data using TLS OR application encrypts syslog data using TLS. Protocol selections and function assignments should be made to cover all data/sensitive data.

If "encrypt all transmitted" is selected and "TLS" or "DTLS" as a client/server is selected, then evaluation of elements from either FCS_TLSC_EXT.1 or FCS_TLSS_EXT.1 is required corresponding elements from the Functional Package for TLS must be selected.

If "encrypt all transmitted" is selected, "HTTPS" is selected, and the TOE acts as a client, then FCS_HTTPS_EXT.1/Client is required.

If "encrypt all transmitted" is selected, "HTTPS" is selected, and the TOE acts as a server, then FCS_HTTPS_EXT.1/Server is required.

If the TOE acts as a server and if "mutual authentication" is selected in the TLS Package, then FCS_HTTPS_EXT.2 is also required.

If "encrypt all transmitted" is selected and "DTLS" is selected, then FCS_DTLS_EXT.1 is required.

If "encrypt all transmitted" is selected and "SSH" is selected, then the TSF shall be validated against the Functional Package for Secure Shell.

If "encrypt all transmitted" is selected and "IPsec" is selected, then the TSF must claim conformance to a PP-Configuration that includes the VPN Client PP-Module

If "encrypt all transmitted" is selected the corresponding FCS_COP.1 requirements will be included.

In addition to the above, FIA_X509_EXT.1 and FIA_X509_EXT.2 are required when the following is true:

·       "encrypt all transmitted" is selected and the TOE implements a protocol that requires certificates

·       "invoke platform-provided functionality to encrypt all transmitted sensitive data" is selected and the platform implements a protocol that requires certificates

·       "invoke platform-provided functionality to encrypt all transmitted data" is selected and the platform implements a protocol that requires certificates

Note: FIA_X509_EXT.1 and FIA_X509_EXT.2 are not applicable if “mutual authentication” is not selected when the TOE acts as a HTTPS/(D)TLS server with no mutual authentication.

The selections for mutual authentication for HTTPS align with the selections in this SFR. The selections for mutual authentication must match the corresponding requirements in the Functional Package for TLS.

Added "for [assignment: function(s)]"  to all the encryption selections and updating the Application Note (" OR application encrypts syslog using TLS).  Protocol selections and function assignments should be made to cover all data/sensitive data" ) for everything necessary to address the issue.