MOD_ESC_V1.0 must be updated for compatibility with CPP_ND_V3.0E.

The following is added to the bulleted list of Base-PPs in Section 1.1 Overview of MOD_ESC_V1.0 is modified as follows, with green highlighted underlines denoting addition:

·      collaborative Protection Profile for Network Devices (NDcPP), Version 3.0e

The following is added to the bulleted list of Base-PPs in Section 1.1 Technology Area and Scope of Supporting Document of MOD_ESC_V1.0-SD is modified as follows, with green highlighted underlines denoting addition:

• Protection Profile for Network Devices (NDcPP), Version 3.0e

The Application Note for FCS_DTLSS_EXT.1.1 in Section 5.1.1 of MOD_ESC_V1.0 is modified as follows, with green highlighted underlines denoting additions:

Application Note:

This SFR is selection-based in the NDcPP and remains selection-based in this PP-Module because DTLS may be used to secure transmitted media. In this case, it must be claimed if ‘DTLS’ is selected in FTP_ITC.1.1/ESC in addition to the applicable selection triggers in the Base-PP.

This SFR is also refined from its definition in the Base-PP by requiring the use of DTLS 1.2 if this function is claimed.

When CPP_ND_V3.0E is the Base-PP, the element in Section 5.1.2.1 should be used, instead.

The Application Note for FCS_TLSC_EXT.1.1 in Section 5.1.1 of MOD_ESC_V1.0 is modified as follows, with green highlighted underlines denoting additions:

Application Note:

This SFR is selection-based in the NDcPP but is mandated by this PP-Module because Transport Layer Security (TLS) is used to secure SIP and H.323 communications. Additionally, this PP-Module mandates the use of TLS 1.2. When CPP_ND_V3.0E is the Base-PP, the element in Section 5.1.2.1 should be used, instead.

The Application Note for FCS_TLSS_EXT.1.1 in Section 5.1.1 of MOD_ESC_V1.0 is modified as follows, with green highlighted underlines denoting additions:

Application Note:

This SFR is selection-based in the NDcPP but is mandated by this PP-Module because TLS is used to secure SIP and H.323 communications. Additionally, this PP-Module mandates the use of TLS 1.2. When CPP_ND_V3.0E is the Base-PP, the element in Section 5.1.2.1 should be used, instead.

Section 5.1.2 Further Modified SFRs and its associated subsections are added to MOD_ESC_V1.0 as follows:

5.1.2 Further Modified SFRs

The SFRs listed in this section are defined in the NDcPP V3.0E and relevant to the secure operation of the TOE. SFRs in this section must be used in lieu of their counterparts in Section 5.1.1 when CPP_ND_V3.0E is used as the Base PP. When not further refined in this section, SFRs listed in section 5.1.1 should be used as-is.

5.1.2.1 Cryptographic Support (FCS)

FCS_DTLSS_EXT.1 DTLS Server Protocol

FCS_DTLSS_EXT.1.1
The TSF shall implement DTLS 1.2 (RFC 6347) and [selection: DTLS 1.3 (RFC 9147), no other DTLS versions] and reject all other DTLS versions. The DTLS implementation will support the following ciphersuites:

[selection:

•        Select supported ciphersuites for DTLS 1.2 from List 1 in the NDcPP

•        Select supported ciphersuites for DTLS 1.3 from List 2 in the NDcPP

] and no other ciphersuites.

FCS_TLSC_EXT.1 TLS Client Protocol

FCS_TLSC_EXT.1.1
The TSF shall implement TLS 1.2 (RFC 5246) and [selection: TLS 1.3 (RFC 8446), no other TLS versions] supporting the following ciphersuites:

[selection:

•        Select supported ciphersuites for TLS 1.2 from List 1 in the NDcPP

•        Select supported ciphersuites for TLS 1.3 from List 2 in the NDcPP

] and no other ciphersuites.

FCS_TLSS_EXT.1 TLS Server Protocol

FCS_TLSS_EXT.1.1
The TSF shall implement TLS 1.2 (RFC 5246) and [selection: TLS 1.3 (RFC 8446), no other TLS versions] and reject all other TLS and SSL versions. The TLS implementation will support the following ciphersuites:

[selection:

•        Select supported ciphersuites for TLS 1.2 from List 1 in the NDcPP

•        Select supported ciphersuites for TLS 1.3 from List 2 in the NDcPP

] and no other ciphersuites.

See Issue Description.