The NIT has issued a technical decision for Updating FCS_DTLSC_EXT.x.2/FCS_TLSC_EXT.x.2 Tests 1-4.

The NIT supports the point of view that after negative testing of the scenario of SAN not matching the reference identifier but CN matching the reference identifier (i.e. Test 4) a negative test of SAN not matching the reference identifier and CN not matching the reference identifier (i.e. Test 1) does not seem to add any value. On the other hand the scenario of SAN extension not present and CN not matching the reference identifier needs to be tested.

FCS_DTLSC_EXT.1.2/FCS_DTLSC_EXT.2.2 Test 1(ND SD V2.0), FCS_TLSC_EXT.1.2/FCS_TLSC_EXT.2.2 Test 1 (ND SD V1.0, ND SD V2.0) shall therefore be replaced by the following test:

"Test 1: The evaluator shall present a server certificate that contains a CN that does not match the reference identifier and does not contain the SAN extension. The evaluator shall verify that the connection fails.

Remark: Some systems might require the presence of the SAN extension. In this case the connection would still fail but for the reason of the missing SAN extension instead of the mismatch of CN and reference identifier. Both reasons are acceptable to pass Test 1."

Since some systems might require the presence of a SAN, FCS_DTLSC_EXT.1.2/FCS_DTLSC_EXT.2.2 Test 3(ND SD V2.0), FCS_TLSC_EXT.1.2/FCS_TLSC_EXT.2.2 Test 3 (ND SD V1.0, ND SD V2.0) shall be made conditional by applying the following change:

"Test 3 [conditional]: If the TOE does not mandate the presence of the SAN extension, the evaluator shall present a server certificate that contains a CN that matches the reference identifier and does not contain the SAN extension. The evaluator shall verify that the connection succeeds. If the TOE does mandate the presence of the SAN extension, this Test shall be omitted."

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201709.pdf

See issue description.