NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0223:  NIT Technical Decision for "Expected" vs "unexpected" DNs for IPsec Communications

Publication Date
2017.07.27

Protection Profiles
CPP_FW_V1.0, CPP_ND_V1.0

Other References
CPP_ND_V1.0, FCS_IPSEC_EXT.1.14

Issue Description

The NIT has issued a Technical Decision for "Expected" vs "unexpected" DNs in certificate verification for IPsec Communications.

Resolution

To align with NIT interpretation #201667, FCS_IPSEC_EXT.1.14 shall therefore be modified as follows:

FCS_IPSEC_EXT.1.14 The TSF shall only establish a trusted channel if the presented identifier in the received certificate matches the configured reference identifier, where the presented and reference identifiers are of the following types: [selection: IP address, Fully Qualified Domain Name (FQDN), user FQDN, Distinguished Name (DN)] and [selection: no other reference identifier type, [assignment: other supported reference identifier types]].

The application note for FCS_IPSEC_EXT.1.14 shall be modified as follows:

When using RSA or ECDSA certificates for peer authentication, the reference and presented identifiers take the form of either a DN, IP address, FQDN or user FQDN. The reference identifier is the identifier the TOE expects to receive from the peer during IKE authentication. The presented identifier is the identifier that is contained within the peer certificate body. The ST author shall select the presented and reference identifier types supported and may optionally assign additional supported identifier types in the second selection. Excluding the DN identifier type (which is necessarily the Subject DN in the peer certificate), the TOE may support the identifier in either the Common Name or Subject Alternative Name (SAN) or both.

The preferred method for verification is the Subject Alternative Name using DNS names, URI names, or Service Names. Verification using the Common Name is required for the purposes of backwards compatibility. Additionally, support for use of IP addresses in the Subject Name or Subject Alternative name is discouraged as against best practices but may be implemented.

Supported peer certificate algorithms are the same as FCS_IPSEC_EXT.1.13.

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201667.pdf

 

Justification

See issue description.

 
 
Site Map              Contact Us              Home