|Finding ID||Version||Rule ID||IA Controls||Severity|
|OCSP is a protocol for obtaining the revocation status of a certificate. It addresses problems associated with using Certificate Revocation Lists (CRLs). When OCSP is enabled, it is used prior to CRL checking. If OCSP could not get a decisive response about a certificate, it will then try to use CRL checking. The OCSP response server must be listed in the certificate information under Authority Info Access. This feature must be enabled for a Samsung Android device to be in the NIAP-certified Common Criteria (CC) mode of operation. SFR ID: FMT_SMF_EXT.1.1 #47|
|Samsung Android OS 9 with Knox 3.x COPE Use Case KPE(Legacy) Deployment Security Technical Implementation Guide||2020-05-15|
|Check Text ( C-93245r1_chk )|
| Review device configuration settings to confirm that OCSP checking is enabled for all apps. |
This procedure is performed on the MDM Administration console only.
On the MDM console, for the device, in the "Knox certificate" group, verify that "OCSP check" is configured to "enable for all apps".
If on the MDM console "OCSP check" is not configured to "enable for all apps", this is a finding.
|Fix Text (F-100175r1_fix)|
| Configure Samsung Android to enable OCSP checking for all apps. |
On the MDM, for the device, in the "Knox certificate" group, configure "OCSP check" to "enable for all apps".
Refer to the MDM documentation to determine how to configure OCSP checking to "enable for all apps". Some may, for example, allow a wildcard string: "*" (asterisk).