NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0127:  FIA_SIPT_EXT.1.2 - TLS Client X.509 Certificate Authentication

Publication Date
2016.12.21

Protection Profiles
EP_SBC_V1.1

Other References
FIA_SIPT_EXT.1.2

Issue Description

The current FIA_SIPT_EXT.1.2 requirement in the EP_SBC_V1.1 refers to a "username and password" for a service provider. Some SBCs use an IP address and X.509 certificate to validate the service provider.

Resolution

FIA_SIPT_EXT.1.2

The TSF shall require a service provider to provide valid identification in the form of a [selection: username/password, X.509 certificate] and IP address in order to establish a SIP trunk.

Application Note:

The ST author selects the method of authentication used (username/password, X.509 certificate, or both) by the TOE.

Assurance Activity: 

Test 1:

Configure the TOE to support an encrypted SIP trunk. Configure a trunk peer to communicate with the TOE using the SIP trunk. Present a correct username/password combination or valid X.509 certificate on the trunk peer with a SIP trunk request that originates from an expected IP address. Verify via packet capture and audit log that the session was established.

Test 2:

Repeat test 1 but provide incorrect username/password information or invalid X.509 certificate with the trunk peer and verify via packet capture and audit log that the session was not established.

Justification

It was intended for the EP to support TLS client X.509 certificate authentication for SIP trunking, therefore it is acceptable to use X.509 authentication as an alternative to username/password. 

 
 
Site Map              Contact Us              Home