11 Testing a PKI enabled application for compliance
11.1.1 As well as configuring an application to behave well, it is important to test that the application is actually behaving as expected.
|
Test name |
Description |
Expected result Bolded is mandatory |
|
Test the CA Trust list |
||
|
+ve |
Access the application with a certificate issued by a CA that is in the trust list, and that should grant access to the application. |
Access granted Access logged including certificate details. |
|
-ve |
Try to access the application using a certificate that would usually be appropriate but whose CA is not in the trust list for the application. An easy way to test this is to remove a normally trusted CA from the list temporarily. |
Access denied Failure logged including certificate details |
|
Test behaviour of certificate status checking unavailable |
Prevent the application from accessing certificate status checking services - CRLs and OCSP and try to access the application. An easy way to do this is to disconnect the server from the Internet, or this is not possible, by changing the hosts file to specify an incorrect IP address for the CRL and OCSP servers. Before testing it is important to remove any locally cached CRLs or OCSP responses. |
Access denied Failure logged including URL of unavailable service, or the certificate details. Alert the system administrator. |
|
Test behaviour of cached certificate status |
As for "certificate status checking unavailable" above, but before preventing access certificate status checking services, access the application successfully. |
Access granted, unless application configured not to cache certificate status. |
|
Test behaviour of expired cached certificate status but certificate status checking unavailable |
As for "cached certificate status" above, but wait until the cached certificate status response has expired. For CRL checking, check when the CRL will expire, and time this test for just before this. For OCSP, you will need to wait for longer than the OCSP response validity period before retesting. Ideally certificate status checking services are very reliable, and access should be denied as there could be a denial of service attack against the certificate status checking services combined with an attack against the application. However, for applications where high availability is most important, reasonably recent certificate status may be considered better than none, and this would shield the application from certificate status checking availability problems, including network connectivity problems. There would need to be some limit to how long expired cached information would be acceptable. |
Access denied (arguable) Alert the system administrator. |
|
Test behaviour of expired cached certificate status and certificate status checking available |
After a successful access, have the certificate revoked. After certificate status has expired, try to access the application again. The application should retrieve new certificate status information... |
Access denied Failure logged including certificate details |
|
Encryption algorithm - defaults to maximum desired. |
Using a client with support for a good range of encryption algorithms, access the application. Check what encryption algorithm is being used. In Internet Explorer, right click on the web pages and choose properties. In Netscape, click on the security button. |
Check algorithm used - should be 3DES or AES for SENSITIVE SYSTEMS, 128 bit RC4 is also acceptable for IN CONFIDENCE systems. |
|
Encryption algorithm - undesirable algorithms have been disabled. |
Attempt to access the application after configuring the client to disable all algorithms permitted by the server. This is easy in Netscape 6 - Edit, Preferences, Privacy & Security, SSL, Edit Ciphers. |
Access denied |
[ Previous | Next ]