Why am I unable to access Google Play while using Common Criteria (CC) mode?

Article ID: 115012110367

Environment

Knox Workspace 2.0+

Summary

When I activate Common Criteria mode, I am unable to use Google Play.

Cause

Connection to Google Play is rejected because their servers do not meet CC mode requirements (MDFPP v2.0).

According to MDFPP v2.0 the TSF (TOE’s security functions) verifies if the presented identifier matches the reference identifier according to RFC 6125.

The evaluator performs the following wildcard tests with each supported type of reference identifier:

As of now, Google’s certificate do not satisfy the following tests.

• The evaluator presents a server certificate containing a wildcard that is not in the left-most label of the presented identifier (e.g. foo.*.example.com) and verifies if the connection fails.

• The evaluator shall present a server certificate containing a wildcard in the left-most label (e.g. *. example.com ). The evaluator configures the reference identifier with a single left-most label (e.g. foo. example.com ) and verifies if the connection succeeds. The evaluator configures the reference identifier without a left-most label as in the certificate (e.g. example.com ) and verifies if the connection fails. The evaluator configures the reference identifier with two left-most labels (e.g. bar.foo.example.come) and verifies if the connection fails.

Resolution

N/A