|
315 | 315 | Package Usage guidance defined in the TOE's relevant Base-PP applies to the usage of the packages for this module, unless explicitly stated otherwise in this section. |
316 | 316 | <package-usage-list> |
317 | 317 | <package-usage ref="X509"> |
| 318 | + <usage id="usage-x509-iteration" title="Required Iteration of X.509 Package Requirements for STIP Operations"> |
| 319 | + <description> |
| 320 | + The ST author shall include an iteration of the <xref to="X509"/> requirements in the ST for STIP purposes using the suffix "STIP". |
| 321 | + </description> |
| 322 | + <config> |
| 323 | + <ref-id>dummy-ref-id</ref-id> |
| 324 | + </config> |
| 325 | + </usage> |
318 | 326 | <usage id="usage-x509-roles" title="Required Role Selections in FIA_XCU_EXT.1.1"> |
319 | 327 | <description> |
320 | 328 | The ST author shall select the option to validate X.509 certificates in FIA_XCU_EXT.1.1. If the TOE supports certificate-based authentication for EST operations, the ST author shall also select the option to assert certificate identities. |
|
323 | 331 | <ref-id>dummy-ref-id</ref-id> |
324 | 332 | </config> |
325 | 333 | </usage> |
| 334 | + <usage id="usage-x509-extensions" title="Required Extension Processing in FIA_X509_EXT.1.2"> |
| 335 | + <description> |
| 336 | + The ST author shall select the option to process the basic constraints and extended key usage extensions. |
| 337 | + </description> |
| 338 | + <config> |
| 339 | + <ref-id>dummy-ref-id</ref-id> |
| 340 | + </config> |
| 341 | + </usage> |
| 342 | + <usage id="usage-x509-revocation-methods" title="CRL or OCSP-based Revocation Required for FIA_X509_EXT.1.3 "> |
| 343 | + <description> |
| 344 | + The TOE must support revocation that only involves CRL or OCSP. Accordingly, the TOE shall select only from options involving CRL or OCSP in FIA_X509_EXT.1.3 (e.g., the selection to treat all certificates older than a given short timeframe is not an acceptable substitute or alternative |
| 345 | + for supporting CRL or OCSP). |
| 346 | + </description> |
| 347 | + <config> |
| 348 | + <ref-id>dummy-ref-id</ref-id> |
| 349 | + </config> |
| 350 | + </usage> |
| 351 | + <usage id="usage-x509-revocation-connections" title="Connections to CRL or OCSP Servers Required for FIA_X509_EXT.1.4"> |
| 352 | + <description> |
| 353 | + Because the TOE is required to support CRL or OCSP, the TSF shall support an appropriate mechanism for obtaining revocation status information. In the case of CRL, the ST author shall claim that revocation status information is obtained via network connection to a CRL distribution point. |
| 354 | + In the case of OCSP, the ST author shall claim that revocation status information is obtained via network connection to an OCSP responder, via OCSP stapling, or via OCSP multi-stapling. |
| 355 | + </description> |
| 356 | + <config> |
| 357 | + <ref-id>dummy-ref-id</ref-id> |
| 358 | + </config> |
| 359 | + </usage> |
| 360 | + <usage id="usage-x509-eku-values" title="Restrictions on Acceptable Key Usage Values for FIA_X509_EXT.1.5"> |
| 361 | + <description> |
| 362 | + The TOE will always support the use of extendedKeyUsage values to verify that X.509 certificates are used in accordance with their intended purpose. Accordingly, the ST author shall claim that the TOE supports the processing of extendedKeyUsage fields in the leaf certificate (as opposed |
| 363 | + to application of trust store context rules or passing the certification path or other supported context information to an external function) and shall select all values that are relevant to the claimed uses of X.509 in the ST. In particular, the ST author shall include the options to require |
| 364 | + TLS servers to have the Server Authentication key purpose, TLS clients to have the Client Authentication key purpose, OCSP signers to have the OCSP signing key purpose, and update signing certificates to have the Code Signing key purpose. |
| 365 | + The ST author shall utilize the assignment for other EKU values to specify that certificates must not contain the 'any' key purpose. |
| 366 | + </description> |
| 367 | + <config> |
| 368 | + <ref-id>dummy-ref-id</ref-id> |
| 369 | + </config> |
| 370 | + </usage> |
326 | 371 | </package-usage> |
327 | 372 | <package-usage ref="tls"> |
328 | 373 | <usage id="usage-tls-roles" title="Required Selections in FCS_TLS_EXT.1.1"> |
|
0 commit comments