The mobile operating system must give the user the option to deny acceptance of a certificate if the certificate was issued by an untrusted certificate authority.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-32989 | SRG-OS-000066-MOS-000037 | SV-43387r1_rule | Medium |
| Description |
|---|
| When the operating system accepts the use of certificates issued from an untrusted certificate authority, there is the potential that the system presenting the certificate is malicious, and can compromise sensitive information or system integrity. Allowing the operating system or user to deny certificates from an untrusted certificate authority mitigates the risk associated with the acceptance of such certificates. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41286r1_chk ) |
|---|
| Inspect the mobile operating system configuration for the user option to deny acceptance of a certificate if the certificate was issued by an untrusted certificate authority. If the operating system does not allow the user to reject a certificate issued from an untrusted certificate authority, this is a finding. |
| Fix Text (F-36901r1_fix) |
|---|
| Configure the mobile operating system to give the user the option to deny acceptance of a certificate if it from an untrusted certificate authority. |