Archived
TD0186: NIT Technical Decision for Applicability of X.509 certificate testing to IPsec
Publication Date
2017.04.10
Protection Profiles
CPP_FW_V1.0, CPP_ND_V1.0
Other References
NDcPP V1.0, FWcPP V1.0, FIA_X509_EXT.1.1
Issue Description
The Network Interpretations Team (NIT) has issued a technical decision regarding the applicability of X.509 certificate testing to IPsec. Resolution
To align with NIT interpretation # 201628, the following guidance is issued. The X.509 certificate testing should be performed for all functionality using X.509 certificates, including IPsec. MITM is not practical for modification of the certificates used in IPsec/IKE, instead the X.509 tests should use instrumented clients or servers, presenting modified certificates, to perform the tests. For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI28.pdf Justification
The X.509 requirements are about ensuring the behavior of the TOE when encountering malformed or invalid X.509 certificates regardless of protocol. |