NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0379:  Updated FCS_IPSEC_EXT.1.11 Tests for VPN Client

Publication Date
2018.12.20

Protection Profiles
MOD_VPN_CLI_V2.1

Other References
FCS_IPSEC_EXT.1.11

Issue Description

The wording of Test 2 is confusing because it mentions the DN when in fact it does not technically require that "DN" be selected as an identifier.  Also, Test 4 lacks clarity.

Resolution

For FCS_IPSEC_EXT.1.11:

Test 2 shall be rewritten as follows:

Test 2: The evaluator shall configure the TOE to use a private key and associated certificate signed by a trusted CA and shall establish an IPsec connection with the peer.

Test 4 shall be deleted.

Test 9 shall be modified as follows (modifications in bold):

Test 9 [conditional]: If the TOE supports DN identifier types, the evaluator shall configure the peer's reference identifier on the TOE (per the administrative guidance) to match the subject DN in the peer's presented certificate and shall verify that the IKE authentication succeeds. To demonstrate a bit-wise comparison of the DN, the evaluator shall change a single bit in the DN (preferably, in an Object Identifer (OID) in the DN) and verify that the IKE authentication fails. To demonstrate a comparison of DN values, the evaluator shall change any one of the four DN values and verify that the IKE authentication fails.

Justification

See issue description

 
 
Site Map              Contact Us              Home