TD0127: FIA_SIPT_EXT.1.2 - TLS Client X.509 Certificate Authentication
The current FIA_SIPT_EXT.1.2 requirement in the EP_SBC_V1.1 refers to a "username and password" for a service provider. Some SBCs use an IP address and X.509 certificate to validate the service provider.
The TSF shall require a service provider to provide valid identification in the form of a [selection: username/password, X.509 certificate] and IP address in order to establish a SIP trunk.
The ST author selects the method of authentication used (username/password, X.509 certificate, or both) by the TOE.
Configure the TOE to support an encrypted SIP trunk. Configure a trunk peer to communicate with the TOE using the SIP trunk. Present a correct username/password combination or valid X.509 certificate on the trunk peer with a SIP trunk request that originates from an expected IP address. Verify via packet capture and audit log that the session was established.
Repeat test 1 but provide incorrect username/password information or invalid X.509 certificate with the trunk peer and verify via packet capture and audit log that the session was not established.
It was intended for the EP to support TLS client X.509 certificate authentication for SIP trunking, therefore it is acceptable to use X.509 authentication as an alternative to username/password.