whats-new-app-protection-profile

What’s New In App PP v1.4

Marina IbrishimovaCommon Criteria

The Protection Profile for Application Software (APP PP) v1.4 has recently been published. Here are some key points from our initial review.

  • PP-Modules. Vendors are now allowed to specify additional protection profiles (PPs) and PP-Modules in a PP-Configuration with APP PP v1.4. Previously, only PP-Module for VPN Clients was allowed to be claimed with this PP.
  • SSH. Functional package for Secure Shell (SSH) v1.0 was added to APP PP v1.4. The Extended Package for Secure Shell (SSH) v1.0, which is about to sunset on November 13th, 2021, is superseded by the Functional Package for Secure Shell (SSH).
  • MEC. An optional selection to include FDP_PRT_EXT.1 from the PP-module for file encryption was added to FMT_MEC_EXT.1.
  • X509. Clarifications on when FIA_X509_EXT.1/2 need to be claimed.

Below is a detailed summary of the changes between APP PP v1.3 and APP PP v1.4. If you need help determining exactly where your product stands in terms of compliance, you should try our Functional Gap Assessment (FGA) powered by Greenlight and our team of testing experts. Contact us to find out more.

1 Introduction

  1. Minor changes were added to Section 1.2 Common Criteria Terms
  2. Section 1.5 was added to explicitly specify the types of operating systems that the application shall run on – minor change. All operating systems listed in this section were already covered under the Evaluation Activities of APP PP v1.3.

2 Conformance Claims

  1. The vendor may now optionally claim conformance to the following PPs and PP-Modules :
  • Protection Profile for Mobile Device Management Version 4.0
  • PP-Module for File Encryption, Version 1.0
  • PP-Module for File Encryption Enterprise Management, Version 1.0
  • PP-Module for VPN Clients, Version 2.3
  • PP-Module for Endpoint Detection and Response, Version 1.0
  • PP-Module for Host Agent, Version 1.0
  • PP-Module for Voice and Video over IP (VVoIP), Version 1.0
  • PP-Module for Email Clients, Version 1.0
  • Functional package for Secure Shell (SSH) v1.0 was added.

3 Security Problem Description

  1. Minor changes were added to Section 3.2 and 3.3

4 Security Objectives

  1. A security objectives rationale table was added but there are no changes to the security objectives – minor change.

5 Security Requirements

  1. The Evaluation Activities for all SFRs were moved to the end of each SFR’s description – minor change.
  2. FCS_CKM.1 was moved above FCS_RBG_EXT.1.1 – minor change.
  3. TD0416 was applied to FCS_RBG_EXT.1
  4. TOE Security functional requirements rationale section 5.1.7 was added with a table mapping SFRs to security objectives minor change.
  5. FMT_MEC_EXT.1 now allows the inclusion of FDP_PRT_EXT.1 from the PP-module for file encryption. Additional testing activities were added to accommodate this inclusion.
  6. FTP_DIT_EXT.1 now includes selections for HTTPS Client and HTTPS Server.
  7. FIA_X509_EXT.1 now includes clarifications on when x509-related SFRs need to be included in the evaluation.
  8. The following SFRs were renamed:
  • FCS_CKM.1(2) => FCS_CKM.1/SK
  • FCS_CKM.1(1) => FCS_CKM/AK
  • FCS_CKM.1(3) => FCS_CKM/PBKDF
  • FCS_COP.1(1) => FCS_COP.1/SKC
  • FCS_COP.1(2) => FCS_COP.1/Hash
  • FCS_COP.1(3) => FCS_COP.1/Sig
  • FCS_COP.1(4) => FCS_COP.1/KeyedHash

6 Appendix A – Optional Requirements

  1. The Optional Requirements section is now subdivided into: 
  • Strictly optional
  • Objective
  • Implementation-based