NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0784:  Terminology Change in MDMPP: Extended to Functional Package

Publication Date
2023.10.11

Protection Profiles
PP_MDM_V4.0

Other References
Common Criteria Terms, Conformance Claims, FIA_X509_EXT.2.1, FTP_ITC.1.1(1), FTP_TRP.1.1(1), FTP_TRP.1.3(1), FPT_ITT.1.1(1)

Issue Description

SSH Extended Package (deprecated) is referenced in multiple places. These references should be replaced with the superseding "SSH Functional Package". In addition, the conformance claim needs to be updated to include the SSH package.

Resolution

The following update is made to PP-MDM_v4.0 Common Criteria Terms, with red highlighted strikethroughs denoting deletions and green highlighted underlines denoting additions:

1.1.1 Common Criteria Terms

Table 1 – Common Criteria Terms

Common Criteria (CC)

Common Criteria for Information Technology Security Evaluation.

Extended Functional Package (EFP)

An implementation-independent set of security requirements for a category of products, which extends those in a Protection Profile document that collects SFRs for a particular protocol, technology, or functionality.

 

The following update is made to PP_MDM_V4.0 Section 2 (Conformance Claims), with green highlighted underlines denoting additions:

This PP-Module is TLS Package Version 1.1 Conformant.

This PP-Module is SSH Package Version 1.0 Conformant.

The following update is made to FIA_X509_EXT.2.1 in PP_MDM_V4.0, with red highlighted strikethroughs denoting deletions and green highlighted underlines denoting additions:

FIA_X509_EXT.2.1

The TSF shall [selection:

...

- implement functionality to use X.509v3 certificates as defined by RFC 5280 to support

authentication for [selection:

- IPsec as defined in the PP-Module for VPN Client,

- HTTPS in accordance with FCS_HTTPS_EXT.1,

- TLS as defined in the Package for Transport Layer Security,

- DTLS as defined in the Package for Transport Layer Security,

- SSH as defined in the Extended Functional Package for Secure Shell,

- no protocols

...

The following updates are made to FTP_ITC.1.1(1)  in PP_MDM_V4.0, with red highlighted strikethroughs denoting deletions and green highlighted underlines denoting additions:

FTP_ITC.1.1(1)

Refinement: The TSF shall [selection:

...

implement functionality using [selection:

- IPsec as defined in the PP-Module for VPN Client,

- SSH as defined in the Extended Functional Package for Secure Shell,

- mutually authenticated TLS as defined in the Package for Transport Layer

Security,

- mutually authenticated DTLS as defined in the Package for Transport Layer

Security,

- HTTPS in accordance with FCS_HTTPS_EXT.1

]

...

Application Note:

...

If the ST author selects "SSH as defined in the Extended Functional Package for Secure Shell", the TSF

must be validated against the EP FP for Secure Shell with the MDM PP. It should be noted that

due to constraints imposed by this PP that sha1 cannot be used.

...

The following update is made to FTP_TRP.1.1(1)  in PP_MDM_V4.0, with red highlighted strikethroughs denoting deletions and green highlighted underlines denoting additions:

FTP_TRP.1.1(1)

Refinement: The TSF shall [selection:

...

implement functionality using [selection:

- IPsec as defined in the PP-Module for VPN Client,

- TLS as defined in the Package for Transport Layer Security,

- HTTPS in accordance with FCS_HTTPS_EXT.1,

- SSH as defined in the Extended Functional Package for Secure Shell

]

...

The following update is made to the Application Note for FTP_TRP.1.3(1)  in PP_MDM_V4.0, with red highlighted strikethroughs denoting deletions and green highlighted underlines denoting additions:

FTP_TRP.1.3(1)

Application Note:

...

If the ST author selects "SSH as defined in the Extended Functional Package for Secure Shell", the TSF

must be validated against the EP FP for Secure Shell with the MDM PP. It should be noted that

due to constraints imposed by this PP that sha1 cannot be used.

...

The following updates are made to FPT_ITT.1.1(1)  in PP_MDM_V4.0, with red highlighted strikethroughs denoting deletions and green highlighted underlines denoting additions:

FPT_ITT.1.1(1)

Refinement: The TSF shall [selection:

...

- implement functionality using [selection:

- IPsec, as defined in the PP-Module for VPN Client,

- mutually authenticated TLS as defined in the Package for Transport Layer

Security,

- mutually authenticated DTLS as defined in the Package for Transport Layer

Security,

- HTTPS in accordance with FCS_HTTPS_EXT.1,

- SSH as defined in the Extended Functional Package for Secure Shell

]

...

Application Note:

...

If the ST author selects "SSH as defined in the Extended Functional Package for Secure Shell", the TSF

must be validated against the EP FP for Secure Shell with the MDM PP. It should be noted that

due to constraints imposed by this PP that sha1 cannot be used.

...

Justification

The conformance claims section and applicable SFRs need to be updated to use the SSH Functional Package

 
 
Site Map              Contact Us              Home