Commit f3ebe49f authored by Pierre Andouche's avatar Pierre Andouche
Browse files

Comment 398

parent 564239a6

EN-304-624.md

+14 −8
Original line number Diff line number Diff line
@@ -1880,7 +1880,7 @@ REFERENCE: ASS-REQ-6.2-01 


- REFERENCE: ASS-REQ-6.4-08



  - OBJECTIVE: Verify the PKI ensures a prospective certificate subject possesses the private key that corresponds to the public key in the certificate request before issuing a certificate.

  - OBJECTIVE: Verify the PKI ensures a prospective certificate subject possesses the private key that corresponds to the public key in the certificate request before issuing a certificate, unless the private key never left the certificate issuance service.



  - PREPARATION: Document the circumstances in which the certificate generation service may issue a public-key certificate. Ability to request a certificate issuance.
@@ -1888,17 +1888,21 @@ REFERENCE: ASS-REQ-6.2-01 


    a) attempt to issue a certificate with digital signature capabilities for a given public-key;



    b) provide an invalid signature when required;

    b) if the PKI does not generate the key pair itself, or it has left the issuance service:



    c) verify the issuance to fail;

      b.1) provide an invalid signature when required;



    d) attempt to issue a certificate with encryption or key agreement capabilities for a given public-key;

      b.2) verify the issuance to fail;



    e) provide an invalid decryption when required;

    c) attempt to issue a certificate with encryption or key agreement capabilities for a given public-key;



    f) verify the issuance to fail.

    d) if the PKI does not generate the key pair itself, or it has left the issuance service:



    Among all the issuance attempts, verify the random value to sign or decrypt is always distinct, and their concatenation of high entropy.

      d.1) provide an invalid decryption when required;



      d.2) verify the issuance to fail.



    Among all the issuance attempts involving signing or decryption, verify the random value to sign or decrypt is always distinct, and their concatenation of high entropy.



  - VERDICT: SUCCESS if all the verifications pass; else FAIL.
@@ -1908,7 +1912,9 @@ REFERENCE: ASS-REQ-6.2-01 


    b) the way issuances were requested, and the responses from the PKI;



    c) the random values generated by the PKI.

    c) the key pairs issued by the PKI if any, and how and when they were obtained;



    d) the random values generated by the PKI.



 #### 6.5 Certificate status