This is a clarification I received via the TC 57 WG 15 email group. Please note that I fully agree that the tissue database is not the proper place for this clarification.
However, until WG 15 gets a Redmine database (or similar location for official standard interpretations or clarifications) I'm posting this here so that a record is kept of the response.
==========================
IEC 62351-3:2020 Section 7.2 Table 1 mandates that implementing entities support both RSA and ECDSA cipher suites for TLS 1.2.
Does this mean that implementing entities:
1. Must support two local device X.509 certificates simultaneously (one using RSA and the other using ECDSA), or
2. Must be capable of supporting either kind of local device X.509 certificate, although the local device does not need to support both kinds simultaneously
Feedback on this question is appreciated.
Answer (Steffen Fries):
The support of RSA and ECDSA cipher suites is only related to the capability to handle RSA and ECDSA certificates, but not to the possession of both two related certificates simultaneously. [Note that part of the response here is clipped due to it being only tangentially related to the question at hand].
Requiting support for both, RSA and ECDSA, ensures that during operation, based on the organizations security policy, the server and the client can have either certificate.
Proposal
See Steffen's clarification above.
Discussion
Created
Status
OK.
27 Jun 24
Approval (Editoral)
As outlined in the TISSUE description, entities are not expected to possess RSA and ECDSA certificates. The selection of the certificate (either RSA or ECDSA) is done based on the operators security policy for the server and the client certificate as stated in clause 7.2 below Table 1 in IEC 62351-3:2023.