NIAP recently released their first, and widely anticipated, modular protection profile package targeting the TLS communication protocol. This package is not meant to stand on its own and is designed to be included within new versions of NIAP protection profiles. While it is unlikely to be explicitly referenced by collaborative Protection Profiles (cPP), the requirements will almost certainly be highly similar.
Some highlights about the new package:
- Largely the same as existing TLS requirements
- TLS clients are no longer restricted to only the set of claimed ciphersuites
- An admin can accept an X.509 certificate that fails validation if permitted by explicit override
- DHE parameters of up to 8192 bits are now allowed
- NIAP gives a hat tip to automated testing by explicitly stating that testing may be performed manually or with an automated framework that provides empirical evidence