NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0379:  Updated FCS_IPSEC_EXT.1.11 Tests for VPN Client

Publication Date

Protection Profiles

Other References

Issue Description

The wording of Test 2 is confusing because it mentions the DN when in fact it does not technically require that "DN" be selected as an identifier.  Also, Test 4 lacks clarity.



Test 2 shall be rewritten as follows:

Test 2: The evaluator shall configure the TOE to use a private key and associated certificate signed by a trusted CA and shall establish an IPsec connection with the peer.

Test 4 shall be deleted.

Test 9 shall be modified as follows (modifications in bold):

Test 9 [conditional]: If the TOE supports DN identifier types, the evaluator shall configure the peer's reference identifier on the TOE (per the administrative guidance) to match the subject DN in the peer's presented certificate and shall verify that the IKE authentication succeeds. To demonstrate a bit-wise comparison of the DN, the evaluator shall change a single bit in the DN (preferably, in an Object Identifer (OID) in the DN) and verify that the IKE authentication fails. To demonstrate a comparison of DN values, the evaluator shall change any one of the four DN values and verify that the IKE authentication fails.


See issue description

Site Map              Contact Us              Home