Archived TD0053: Removal of FCS_IPSEC_EXT.1.12 Test 5 from VPN IPSEC Client v1.4
FCS_IPSEC_EXT.1.12 Test 5 is being removed because it is duplicative with FIA_X509_EXT.2.2.
The below test is no longer valid and removed for the FCS_IPSEC_EXT.1.12 requirement:
Test 5: The evaluator shall ensure that the TOE is configurable to either establish an SA, or not establish an SA if a connection to the certificate validation entity cannot be reached. For each method selected for certificate validation, the evaluator attempts to validate the certificate – for the purposes of this test, it does not matter if the certificate is revoked or not. For the “mode” where an SA is allowed to be established, the connection is made. Where the SA is not to be established, the connection is refused.
Additional clarification added to FIA_X509_EXT.2.2 under Assurance Activity Test 1:
Test 1: The evaluator shall demonstrate that using a valid certificate that requires certificate validation checking to be performed in at least some part by communicating with a non-TOE IT entity. The evaluator shall then manipulate the environment so that the TOE is unable to verify the validity of the certificate, and observe that the action selected in FIA_X509_EXT.2.2 is performed. If the selected action is administrator-configurable, then the evaluator shall follow the operational guidance to determine that all supported administrator-configurable options behave in their documented manner. This test must be performed for each certificate revocation method selected in FIA_X509_EXT.1.1 (e.g. OCSP and/or CRL).
Removal of duplicative testing.