The mobile operating system, for PKI-based authentication must validate certificates by querying the certification authority for revocation status of the certificate.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32983	SRG-OS-000066-MOS-000033	SV-43381r1_rule		Low

Description
Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Failure to verify a certificate's revocation status can result in the system accepting a revoked or otherwise unauthorized certificate resulting in installation of unauthorized software or connection to rogue networks. Querying for certificate revocation mitigates the risk that the system will accept an unauthorized certificate.

Description

Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Failure to verify a certificate's revocation status can result in the system accepting a revoked or otherwise unauthorized certificate resulting in installation of unauthorized software or connection to rogue networks. Querying for certificate revocation mitigates the risk that the system will accept an unauthorized certificate.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41282r2_chk )
Inspect the mobile operating system configuration for validation of certificates used for PKI-based authentication. Confirm queries to the certification authority are performed for revocation status of certificates. If queries are not performed for revocation status of certificates, this is a finding.

Fix Text (F-36897r2_fix)
Configure the mobile operating system to validate certificates by querying the certification authority for revocation status of the certificate.