The mobile operating system must give the user the option to deny acceptance of a certificate if it cannot verify the certificates revocation status.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-32986 | SRG-OS-000066-MOS-000035 | SV-43384r2_rule | Low |
| Description |
|---|
| When additional assurance is required, the system should deny acceptance of a certificate if it cannot verify its revocation status. Otherwise, there is the potential that it is accepting the credentials of an unauthorized system. Allowing the operating system or user to deny certificates with unverified revocation status mitigates the risk associated with the acceptance of such certificates. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41284r2_chk ) |
|---|
| Inspect the mobile operating system configuration for providing the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status. If the mobile operating system is configured to deny certificates whenever it cannot determine its revocation status without providing them an option to override the denial, this is a compliant configuration and not a finding. On the other hand, if the mobile operating system allows users to accept such certificates and if the operating system does not allow the user to reject the certificate when it cannot validate the certificate's revocation status, this is a finding. |
| Fix Text (F-36899r1_fix) |
|---|
| Configure the mobile operating system to give the user the option to deny acceptance of a certificate if it cannot verify the certificate's revocation status. |