TD0405: FIA_SASL_EXT.1 Testing
Test 2 for FIA_SASL_EXT.1 is not possible to perform as written. The packet analyzer cannot indicate that the protocol in use is SASL because SASL itself is not a protocol, but an authentication mechanism used by the various email protocols, and because the email protocol is protected by TLS, which results in the packet analyzer at best guessing at the application layer protocol based on the TCP port number.
Test 2 for FIA_SASL_EXT.1 is rewritten as follows (new text is underlined):
Test 2: The evaluator shall ensure, for each communication channel with an authorized IT entity in test 1, that a valid SASL handshake is performed. To perform this test, the evaluator shall use a sniffer and a packet analyzer. The packet analyzer must indicate that the protocol in use is SASL. The sniffer and packet analyzer must allow the evaluator to view the plaintext email protocol (e.g., proxy, loading the server private key). The evaluator shall identify the SASL handshake within the email protocol.
See issue description.