The NIT has published a technical decision for FCS_DTLSC_EXT.1.2 and FCS_TLSC_EXT1.2.

This TD supersedes TD0634, which is now archived.

FCS_DTLSC_EXT.1.2 and FCS_TLSC_EXT.1.2 Test 6 in CPP_ND_V2.2-SD are modified as follows, with green highlights and underlines indicating additions and red highlights and strikethroughs indicating deletions:

Objective: The objective of this test is to ensure the TOE is able to differentiate between IP address identifiers that are not allowed to contain wildcards and other types of identifiers that may contain wildcards.

Test 6:[conditional] If IP addresses identifiers are supported in the SAN or CN, the evaluator shall present a server certificate that contains a CN that matches the reference identifier, except one of the groups has been replaced with an wildcard asterisk (*) (e.g. CN=192*.168.0.1.* when connecting to 192.168.0.1.20, CN=2001:0DB8:0000:0000:0008:0800:200C:* when connecting to 2001:0DB8:0000:0000:0008:0800:200C:417A). The certificate shall not contain the SAN extension. The evaluator shall verify that the connection fails. The evaluator shall repeat this test for each supported IP address version (e.g. IPv4, IPv6).

This negative test corresponds to the following section of the Application Note 64/105: "The exception being, the use of wildcards is not supported when using IP address as the reference identifier."

For more information, please see the NIT Decision.