Scribd
Upload
66 views10 pages

Device and Token Requirements Overview

The document contains a list of requirement categories (RC1-RC5) and their corresponding requirement numbers. For each requirement category, it lists the section numbers in the NISTIR 8055 document that specifies the individual requirements. There are a total of 27 requirement categories and over 100 individual requirements listed.

Uploaded by

agus kurniawan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
66 views10 pages

Device and Token Requirements Overview

The document contains a list of requirement categories (RC1-RC5) and their corresponding requirement numbers. For each requirement category, it lists the section numbers in the NISTIR 8055 document that specifies the individual requirements. There are a total of 27 requirement categories and over 100 individual requirements listed.

Uploaded by

agus kurniawan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd

NISTIR 8055 Req.

Requirement Category Req. #


Section #
RC1.1 [Link]

RC1.2 [Link]

RC1.3 [Link]

RC1.4 [Link].1

RC1.5 [Link].2

RC1.6 [Link].3

RC1.7 [Link].4

RC1.8 [Link].1.1
RC1.9 [Link].1.2
RC1.10 [Link].1.3
RC1 - Device and Cryptographic Token
RC1.11 [Link].1.4
RC1.12 [Link].1.5.1
RC1.13 [Link].1.5.2
RC1.14 [Link].1.6.1
RC1.15 [Link].1.6.2
RC1.16 [Link].1.6.3
RC1.17 [Link].1.7.1
RC1.18 [Link].1.7.2
RC1.19 [Link].1.7.3

RC1.20 [Link].2.1

RC1.21 [Link].2.2

RC1.22 [Link].2.3

RC1.23 [Link].2.4

RC1.24 [Link].2.5

RC1.25 [Link].6

RC1.26 [Link].7
RC1.27 [Link].10

RC2.1 [Link]

RC2 - PIV Card


RC2.2 [Link]

RC2.3 [Link]
RC2 - PIV Card

RC2.4 [Link]

RC2.5 [Link]

RC3.1 [Link]

RC3.2 [Link]

RC3.3 [Link]

RC3 - PKI
RC3.4 [Link].2

RC3.5 [Link].3 

RC3.6 [Link].1 

RC4.1 [Link]
RC4.2 [Link]
RC4.3 [Link] 

RC4.4 [Link]

RC4.5 [Link]
RC4.6 [Link]
RC4.7 [Link]
RC4.8 [Link]

RC4 - Level of Assurance RC4.9


[Link]

RC4.10 [Link]

RC4.11 [Link]

RC4.12 [Link].1

RC4.13 [Link].2

RC4.14 [Link].3 

RC5.1 [Link]

RC5.2 [Link]

RC5.3 [Link].1 

RC5.4 [Link].2
RC5.5 [Link]

RC5.6 [Link].1 
RC5.7 [Link].2.1
RC5.8 [Link].2.2
RC5.9 [Link].2.3

RC5.10 [Link].1

RC5.11 [Link].2

RC5 - Credential Management System RC5.12 [Link].3

RC5.13 [Link].4

RC5.14 [Link].5

RC5.15 [Link].8.1 
RC5.16 [Link].8.2

RC5.17 [Link].9.1 

RC5.18 [Link].9.2 

RC5.19 [Link].9.3

RC5.20 [Link].9.4
Test Case Identifier Result Notes
DPC_TP0.00 OK The DPC is issued to the MobileIron Mobile@Work software container.
Project currently does not implement storage of the DPC to a removable
OK hardware token.
Both Digital Signature and Key Management keys can be provisioned to the
DPC_TP0.00 OK software container.

Entrust IDG revokes the DPC PIV Authentication certificate upon the DPC
Subscriber reporting the DPC as lost or compromised. Alternatively, MobileIron
DPC_TP0.07 OK
Core can be used to remotely destroy the DPC using either wipe or retire
functions available on managed iOS devices.

Entrust IDG revokes the DPC PIV Authentication certificate upon the DPC
Subscriber reporting the DPC as lost or compromised. Alternatively, MobileIron
DPC_TP0.07 OK
Core can be used to remotely destroy the DPC using either wipe or retire
functions available on managed iOS devices.

Entrust IDG revokes the DPC PIV Authentication certificate upon the DPC
Subscriber reporting the DPC as lost or compromised. Alternatively, MobileIron
DPC_TP0.07 OK
Core can be used to remotely destroy the DPC using either wipe or retire
functions available on managed iOS devices.

Entrust IDG revokes the DPC PIV Authentication certificate upon the DPC
DPC_TP0.07 OK Subscriber reporting the DPC as lost or compromised. Alternatively, MobileIron
Core can be used to remotely destroy the DPC using either wipe or retire
functions available on managed iOS devices.
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A

Documentation OK The DPC is embedded within a mobile device in the form of the MobileIron
PIV-D software cryptographic module.

Documentation OK There is no assertion that the issuance process to the MobileIron PIV-D
container is at LOA-4.

N/A N/A The DPC is embedded within a mobile device in the form of the MobileIron
PIV-D software cryptographic module.
DPC Authentication certificate asserts [Link].[Link].48.5 test object
Documentation OK identifier
The DPC may optionally contain a Digital Signature and Key Management
Documentation OK private key.

Documentation OK Authentication m echanism implemented outside of cryptographic module by


the MobileIron@Work application.
N/A N/A N/A
N/A N/A N/A

N/A N/A The PIV Cards in the test environment  are not  valid and are not subject to
identity proofing and vetting.
DPC issuance can be configured to require authentication to Entrust IDG Self-
DPC_TP0.00 OK
Service Portal using a valid PIV card.
DPC_TP0.00 OK Entrust IDG Self-Service portal verifies the PIV Authentication certificate is
valid.
This setting was not configured in the shared demonstration
Documentation OK environment. However, this setting can be configured such that the DPC will
be revoked from the CA and deleted from IdentityGuard.

DPC_TP0.03 OK Entrust IDG allows a DPC to be provisioned to multiple devices based on the
same PIV card and user identity.

DPC_TP0.00 Entrust DPC issuance occurs at LOA3 (remote, issuance to software-based


cryptographic container)
DPC_TP0.00 OK An X.509 public key certificate is stored in the provisioned DPC
There is no automated process built into the product. That is, the subscriber
Documentation - Business would use their updated PIV card to issue a new DPC to contain the corrected
Process OK DN. The old DPC could be deleted, revoked or no action can be taken
depending on organizational policies.

The DPC authentication certificate does not contain an authorityInfoAccess


DPC_TP0.00 OK
extension as required due to it being provisioned for a test environment.

Entrust IDG allows an organization to customize the DPC policy over the
Documentation OK
expiration date of the PIV Authentication certificate of a DPC.

The provisioned DPC meets given cryptographic standards; the Signature


DPC_TP0.00 OK Algorithm is SHA256, with an RSA 2048 public key.
DPC_TP0.00 OK The Entrust/MobileIron architecture supports DPC issuance at LOA-3.
Entrust IDG supports remote (LOA-3) issuance via Entrust IDG Self-Service
DPC_TP0.00 OK Portal.
DPC_TP0.00 OK We observed TLS 1.2 for remote issuance of the DPC.

DPC_TP0.00 OK Entrust issuance process involves subsequent identification of the DPC


applicant using a temporary secret (OTP)
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A
N/A N/A N/A

DPC_TP0.04, DPC_TP0.05, OK The initial issuance workflow is used to obtain a new DPC should a previously-
DPC_TP0.06 issued DPC become [expired or] compromised

N/A N/A N/A


DPC Authentication certificate asserts [Link].[Link].48.5 test object
DPC_TP0.00 OK identifier
N/A N/A N/A
The MobileIron cryptographic module leverages Apple iOS CoreCrypto Module
and OpenSSL FIPS Obect Module.
DPC_TP0.00 OK
[Link]
on_FIPS%20140-2_Affirmation_Letter-[Link]
Documentation/Collaborator OK The same entitiy controls the PIV and DPC database.
Verification
Documentation/Collaborator OK The same entitiy controls the PIV and DPC database.
Verification

Documentation/Collaborator
OK The same entitiy controls the PIV and DPC database.
Verification

Documentation/Collaborator
OK The same entitiy controls the PIV and DPC database.
Verification
Documentation/Collaborator
OK The same entitiy controls the PIV and DPC database.
Verification
Documentation OK The same entitiy controls the PIV and DPC database.
Documentation N/A The same entitiy controls the PIV and DPC database.
Documentation N/A The same entitiy controls the PIV and DPC database.
Documentation N/A The same entitiy controls the PIV and DPC database.

DPC_TP0.09 OK DPC Subscriber must provide a password to the MobileIron app prior to
gaining access to the DPC and keys.
MobileIron can be configured to enforce complexity requirements on the
Documentation OK
password protecting the DPC.
MobileIron can be configured to enforce complexity requirements on the
Documentation OK password protecting the DPC.

Documentation OK MobileIron can be configured to block access to the PIV Authentication private
key after a number of failed activation attempts (e.g. 5 attempts)

Documentation OK MobileIron can be configured to limit the number of activation attempts that
may be attempted over time.
DPC_TP0.10 OK DPC password reset is not directly supported; the initial issuance workflow mu
N/A N/A N/A

DPC password reset is not directly supported; the initial issuance workflow
DPC_TP0.10 must be completed to receive a new DPC following removal of the software
token from the mobile device.

DPC password reset is not directly supported; the initial issuance workflow
DPC_TP0.10 must be completed to receive a new DPC following removal of the software
token from the mobile device.

DPC password reset is not directly supported; the initial issuance workflow
DPC_TP0.10 must be completed to receive a new DPC following removal of the software
token from the mobile device.
DPC password reset is not directly supported; the initial issuance workflow
DPC_TP0.10 must be completed to receive a new DPC following removal of the software
token from the mobile device.
tial issuance workflow must be completed to receive a new DPC following removal of the software token from the mobile device.
the mobile device.

You might also like