NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0405:  FIA_SASL_EXT.1 Testing

Publication Date
2019.03.20

Protection Profiles
PP_APP_EMAILCLIENT_EP_v2.0

Other References
FIA_SASL_EXT.1

Issue Description

Test 2 for FIA_SASL_EXT.1 is not possible to perform as written. The packet analyzer cannot indicate that the protocol in use is SASL because SASL itself is not a protocol, but an authentication mechanism used by the various email protocols, and because the email protocol is protected by TLS, which results in the packet analyzer at best guessing at the application layer protocol based on the TCP port number.

Resolution

Test 2 for FIA_SASL_EXT.1 is rewritten as follows (new text is underlined):

Test 2: The evaluator shall ensure, for each communication channel with an authorized IT entity in test 1, that a valid SASL handshake is performed. To perform this test, the evaluator shall use a sniffer and a packet analyzer. The packet analyzer must indicate that the protocol in use is SASL. The sniffer and packet analyzer must allow the evaluator to view the plaintext email protocol (e.g., proxy, loading the server private key). The evaluator shall identify the SASL handshake within the email protocol.

Justification

See issue description.

 
 
Site Map              Contact Us              Home