Docstoc

Test Cases

Document Sample
Test Cases Powered By Docstoc
					                             Modular Specifications Phase 3 - Certificate Discovery Test Suite
                             Version 1.0

                             Prepared by:
                             ONC Test Team




Date         Version         Items Changed
                             Initial Draft Created off of version 0.1 of the Requirements
 3/21/2012             0.1   Traceability Matrix
                             - Added the Certificate Load tab
 3/28/2012             0.2   - Updated the "Data Load Notes" column in the Test Cases tab
                             - Minor Updates to the Test Cases to fix typographical errors
                             - Updated Initiator test cases that dealt with priority and weight
                             values to use the word "SHOULD" because the requirement is
                             required, but not required
                             - Added a priority value for test automation to the Test Cases tab.
 4/24/2012             0.3   - Updated test cases DTS576 and DTS580 based on SME feedback
                             - Added Initiator and receiver Test Cases for querying for
                             organizational certificates in LDAP Servers
                             - Broke up the Certificate loads into different tabs for the different
  5/9/2012             0.4   Servers where they should be hosted
                             - Fixed a typo in the Purpose/Description for DTS550 and DTS551
                             in the Test Cases tab
                             - Removed the 3 test data tabs and consolidated them into on Test
                             Data Matrix tab
                             - Updated the "Expected Results" and the "Test Data Load"
                             columns in the Test Cases tab in order to more easily reflect the
                             requirements for each test case and prevent readers from having
                             to look at the different test data tabs to understand what the test
 5/29/2012             0.9
                             case was trying to accomplish with the test data.
 5/31/2012             1.0 - Added Test Cases DTS521, and DTS522
Test Suite




             Person
             ONC Test
             Team
             ONC Test
             Team




             ONC Test
             Team


             ONC Test
             Team




             ONC Test
             Team
             ONC Test
             Team
                                     System is:
                                     Initiator /   Purpose/
Prefix ID      Focus       Flow      Receiver      Description




                                                   Query DNS for
                                                   X.509 individual
                                                   Direct address-
                                                   bound certificate
                                                   where
                                                   rfc822name is
                DNS CERT   Basic                   populated in the
DTS         500 records    Success   I             certificate
                                                   Query DNS for
                                                   X.509 Direct
                                                   domain-bound
                                                   certificate where
                                                   the dNSName is
                                                   populated in the
                                                   certificate - Do
                                                   not choose
                DNS CERT   Variant
                                                   domain-bound
DTS         501 records    Success   I
                                                   LDAP certificate.
                                   Query DNS for
                                   X.509 Direct
                                   domain-bound
                                   certificate where
                                   the dNSName is
                                   populated in the
                                   certificate - Do
                                   not choose
          DNS CERT   Variant
                                   address-bound
DTS   521 records    Success   I
                                   LDAP certificate.
                                   Query DNS for
                                   X.509 Direct
                                   domain-bound
                                   certificate where
                                   the dNSName is
                                   populated in the
                                   certificate -
                                   Invalid DNS
                                   address-bound
          DNS CERT   Variant       certificate loaded
DTS   522 records    Success   I   on Test Tool as
                                   well




                                   Query DNS for
                                   Direct certificate
          DNS CERT   Variant       that is larger than
DTS   502 records    Success   I   512 bytes




                                   Query DNS for
                                   IPKIX individual
          DNS CERT   Variant       Direct address-
DTS   503 records    Success   I   bound certificate
                               Query DNS for
                               LDAP SRV
                               Resource Record
                               and query LDAP
                               for X.509 Cert
                               that is bound to
                 Variant       the rfc822name
DTS   505 LDAP   Success   I   in the certificate




                               Query DNS for
                               LDAP SRV
                               Resource Record
                               and query LDAP
                               for domain-bound
                               X.509 Cert that is
                               bound to the
                 Variant       dNSName in the
DTS   515 LDAP   Success   I   certificate
                               Query two LDAP
                               servers - One
                               LDAP Instance
                 Variant       does not return a
DTS   519 LDAP   Success   I   valid certificate
                               Query for Direct
                               address from
                               LDAP servers
                               based on priority
                               value - Address
                 Variant       bound
DTS   506 LDAP   Success   I   certificates
                               Query for Direct
                               address from
                               LDAP servers
                               based on priority
                               value - One LDAP
                 Variant       instance
DTS   507 LDAP   Success   I   unavailable
                               Query for Direct
                               address from
                               LDAP servers
                               based on priority
                               value - one LDAP
                               Instance does not
                 Variant       return a valid
DTS   517 LDAP   Success   I   certificate




                               Query for LDAP
                 Variant       certificate based
DTS   508 LDAP   Success   I   on weight value
                               Query for Direct
                               address from
                               LDAP services
                               based on weight
                               value - One LDAP
                 Variant       instance
DTS   509 LDAP   Success   I   unavailable




                               Query for Direct
                               address from
                               LDAP servers
                               based on weight
                               value - LDAP
                               Instance does not
                 Variant       return a valid
DTS   518 LDAP   Success   I   certificate
                               Correctly process
                               a referral to
                 Variant       another LDAP
DTS   510 LDAP   Success   I   service




                               No certificate
                               found in DNS
                               CERT or LDAP
DTS   511 LDAP   Error     I   instance
                             No certificate
                             found in DNS
                             CERT and no SRV
DTS   512 LDAP   Error   I   records




                             No valid
                             Certificate found
                             in DNS CERT or
DTS   520 LDAP   Error   I   LDAP instance




                             System receives
                             "Undefined"
                             response from
DTS   513 LDAP   Error   I   the Testing Tool
                                   System's DNS
                                   correctly stores
                                   X.509 individual
          DNS CERT   Basic         Direct address-
DTS   550 records    Success   R   bound certificate




                                   System's DNS
                                   correctly stores
                                   X.509 Direct
          DNS CERT   Variant       domain-bound
DTS   551 records    Success   R   certificate




                                   Use DNS to store
                                   IPKIX individual
          DNS CERT   Variant       Direct address-
DTS   552 records    Success   R   bound certificate




                                   System's DNS can
                                   respond CERT
          DNS CERT   Variant       queries that are
DTS   573 records    Success   R   in different cases
                                   System’s DNS can
                                   correctly respond
                                   to UDP queries
                                   for certificate
                                   records that are
          DNS CERT   Variant       larger than 512
DTS   554 records    Success   R   bytes




                                   System can
                                   respond to DNS
          DNS CERT   Variant       CERT queries
DTS   555 records    Success   R   using TCP




                                   System returns
                                   individual X.509
                     Basic         certificate from
DTS   556 LDAP       Success   R   LDAP server
                               System returns
                               organizational
                 Basic         X.509 certificate
DTS   570 LDAP   Success   R   from LDAP server




                               System's LDAP
                               server responds
                               correctly when
                 Variant       cases do not
DTS   557 LDAP   Success   R   match
                               System's LDAP
                               server responds
                               to a more
                               complex filter -
                               mail attribute
                 Variant       with special
DTS   558 LDAP   Success   R   characters




                               System's LDAP
                               correctly handles
                               more complex
                 Variant       filters (AND ,
DTS   560 LDAP   Success   R   AND NOT)
                               System's LDAP
                               correctly handles
                 Variant       more complex
DTS   586 LDAP   Success   R   filters (OR)




                               System's LDAP
                               correctly handles
                               extensibleMatch
                 Variant       field using a
DTS   562 LDAP   Success   R   matchingRule
                               System's LDAP
                               correctly handles
                               greater than filter
                               - Returns
DTS   563 LDAP   Error     R   undefined




                               System's LDAP
                               correctly handles
                 Variant       less than filter -
DTS   564 LDAP   Success   R   Resolves to TRUE
                               System's LDAP
                               correctly handles
                 Variant       a sizeLimit
DTS   565 LDAP   Success   R   restriction




                               System's LDAP
                               correctly handles
                 Variant       a timeLimit
DTS   566 LDAP   Success   R   restriction
                               System's LDAP
                               correctly handles
                               the "present"
                               filter for the
                 Variant       userCertificate
DTS   567 LDAP   Success   R   attribute




                               System's LDAP
                               correctly handles
                               an empty
                 Variant       SearchRequest.at
DTS   568 LDAP   Success   R   tributes field
                               System's LDAP
                               correctly handles
                               an "*"
                 Variant       SearchRequest.at
DTS   569 LDAP   Success   R   tributes field




                               System's LDAP
                               correctly handles
                               duplicate entries
                               in
                 Variant       SearchRequest.at
DTS   571 LDAP   Success   R   tributes field
                                    System's LDAP
                                    correctly handles
                                    unknown entries
                                    in
                      Variant       SearchRequest.at
DTS   572 LDAP        Success   R   tributes field



                                    Respond correctly
                                    when UDP is not
                                    the correct
                                    protocol for RR
                                    greater than 512
DTS   575 General DNS Error     R   bytes
                             System's LDAP
                             reject non-
                             anonymous
                             binding (trying to
                             get access using
                             incorrect
                             username and
DTS   576 LDAP   Error   R   password)




                             System's LDAP
                             rejects a base DN
                             query that they
DTS   577 LDAP   Error   R   don't have
                             System's LDAP
                             handles 2
                             requests at the
DTS   578 LDAP   Error   R   same time




                             Testing Tool
                             queries LDAP
                             using the old
                             OID,
                             0.9.2342.1920030
                             0.100.3.5, for the
DTS   580 LDAP   Error   R   mail attribute
                             Testing Tool
                             sends an LDAP
                             request without
DTS   581 LDAP   Error   R   binding first
                                                                          Required /
                                                                          Optional /
Test Steps                                                                Conditional




Precondition: Testing Tool's DNS has a Direct address-bound X.509
certificate in the CERT Resource Record and the rfc822Name matches
the email address.
1. The System queries DNS for the Testing Tool's certificate.
2. The DNS returns the certificate to the System.
3. The System uses the certificate to send a message to the Testing
Tool.
4. The Testing Tool verifies that the correct certificate was used to send
the message using the private key associated with the certificate.         R




Precondition: Testing Tool's DNS has a Direct domain-bound X.509
certificate in the CERT Resource Record and the dNSName is populated
with the domain name for the email address.
1. The System queries DNS for the Testing Tool's certificate.
2. Return to step 2 of the basic flow.                                    R
Precondition: Testing Tool's DNS has a Direct domain-bound X.509
certificate in the CERT Resource Record and the dNSName is populated
with the domain name for the email address.
1. The System queries DNS for the Testing Tool's certificate.
2. Return to step 2 of the basic flow.                                 R




Precondition: Testing Tool's DNS has a Direct domain-bound X.509
certificate in the CERT Resource Record and the dNSName is populated
with the domain name for the email address.
1. The System queries DNS for the Testing Tool's certificate.
2. Return to step 2 of the basic flow.                                 R




Precondition: Testing Tool's CERT RR contains a certificate that is
greater than 512 bytes.
1. The System queries DNS for the Testing Tool's certificate.
2. Return to step 2 of the basic flow.                                 R




Precondition: Testing Tool's DNS has a Direct address-bound IPKIX
certificate in the CERT Resource Record.
1. The System queries DNS for the Testing Tool's certificate.
2. Return to step 2 of the basic flow.                                 R
Preconditions:
- Testing Tool's DNS contains one SRV Resource Record for LDAP service.
- Testing Tool's LDAP service contains a certificate that is bound to the
email address using the rfc822Name of the certificate.
1. The System queries DNS for the Testing Tool's certificate.
2. The DNS returns no valid CERT records for the address.
3. The System queries for a SRV record pointing to an LDAP server.
4. The DNS returns the Testing Tool's LDAP information to the System.
5. The System queries the Testing Tool's LDAP server for the direct email
address using anonymous binding .
6. The Testing Tool returns the matching certificate to the System.
7. The System uses the correct and valid certificate to send a message to
the Testing Tool.
8. The Testing Tool verifies that the correct certificate was used to send
the message using the private key associated with the certificate.         R




Preconditions:
- Testing Tool's DNS contains one SRV Resource Record for LDAP service.
- Testing Tool's LDAP service contains a certificate bound to the domain
using the dNSName in the certificate
1. The System queries DNS for the Testing Tool's certificate.
2. The DNS returns no valid CERT records for the address.
3. The System queries for a SRV record pointing to an LDAP server.
4. The DNS returns the Testing Tool's LDAP information to the System.
5. The System queries the Testing Tool's LDAP server for the direct email
address using anonymous binding.
6. The Testing Tool does not return any matching valid certificates to the
System.
7. The System queries the Testing Tool's LDAP server for the direct email
address domain name using anonymous binding.
8. Return to step 6 of DTS 505.                                            R
Preconditions: The Testing Tool's DNS contains multiple SRV RRs for
LDAP services with the same priority and weight values. One of the LDAP
servers does not contain a valid certificate for the Direct email address
provided.
1. Using a Direct address, System queries Testing Tool's DNS for a CERT
Resource Record.
2. The Testing Tool does not return a valid CERT Resource Record to the
System for the email address or the domain.
3. System queries Testing Tool's DNS for a SRV Resource Record for the
LDAP service.
4. The Testing Tool returns multiple SRV Resource Records with the
same priority and weight values to the System.
5. The System queries an LDAP server for the direct email address using
anonymous binding.
6. The Testing Tool's LDAP service returns an invalid certificate to the
System.
7. The System queries the LDAP server for the direct email address
domain name using anonymous binding.
8. The Testing Tool does not return a valid certificate for the direct email
address domain name.
9. The System attempts to query the remaining LDAP service using
anonymous binding.
10. Return to step 6 of DTS 505.
Alternative flow from step 5 of the Basic Flow (if the System queries the
LDAP server that contains the valid certificate):                            R
1. Return to step 6 of DTS 505.
Preconditions:
- Testing Tool's DNS contains multiple SRV RRs for LDAP services with
different priority values.
1. Using a Direct address, System queries Testing Tool's DNS for a CERT
Resource Record.
2. Testing Tool does not return a CERT Resource Record to the System
for the email address or the domain.
3. System queries Testing Tool's DNS for a SRV Resource Record for the
LDAP service.
4. Testing Tool returns multiple SRV Resource Records with different
priorities to the System
5. The System SHOULD query the LDAP service with the lowest priority
value first using anonymous binding and queries for a certificate.
6. Return to step 6 of DTS 505.                                         R
Preconditions: The Testing Tool's DNS contains multiple SRV RRs for
LDAP services with different priority values. The lowest valued priority
SRV record points to an LDAP Server that is not available.
1. Using a Direct address, System queries Testing Tool's DNS for a CERT
Resource Record.
2. Testing Tool does not return a CERT Resource Record to the System
for the email address or the domain.
3. System queries Testing Tool's DNS for a SRV Resource Record for the
LDAP service.
4. Testing Tool returns multiple SRV Resource Records with different
priorities to the System.
5. The System SHOULD attempt to query the LDAP service with the
lowest priority value first using anonymous binding and queries for a
cert.
6. Testing Tool's LDAP service is unavailable.
7. The System attempts to query the LDAP service with the next lowest
priority using anonymous binding.
8. Return to step 6 of DTS 505.                                          R
Preconditions: The Testing Tool's DNS contains multiple SRV RRs for
LDAP services with different priority values. The lowest valued priority
SRV record points to an LDAP Server that does not contain a valid
certificate for the Direct email address provided.
1. Using a Direct address, System queries Testing Tool's DNS for a CERT
Resource Record.
2. Testing Tool does not return a CERT Resource Record to the System
for the email address or the domain.
3. System queries Testing Tool's DNS for a SRV Resource Record for the
LDAP service.
4. Testing Tool returns multiple SRV Resource Records with different
priorities to the System.
5. The System SHOULD attempt to query the LDAP service with the
lowest priority value first using anonymous binding and queries for a
cert.
6. Testing Tool's LDAP service returns an invalid certificate to the System
7. The System attempts to query the LDAP service with the next lowest
priority using anonymous binding.
8. Return to step 6 of DTS 505.                                             R

Preconditions:
- Testing Tool's DNS contains multiple SRV RRs for LDAP services with
the same priority values but different weight values.
1. Using a Direct address, System queries Testing Tool's DNS for a CERT
Resource Record.
2. Testing Tool does not return a CERT Resource Record to the System
for the email address or the domain.
3. System queries Testing Tool's DNS for a SRV Resource Record for the
LDAP service.
4. Testing Tool returns multiple SRV Resource Records with the same
priority values, but different weight values to the System
5. The System SHOULD query the LDAP service with the highest weight
value first using anonymous binding and queries for the Direct
certificate.
6. The Testing Tool's LDAP server does not return a valid certificate for
the direct user to the System.
7. The System queries the next highest weight valued SRV record's LDAP
server for the Direct certificate
8. Return to step 6 of DTS 505.                                           R
Preconditions: - Testing Tool's DNS contains multiple SRV RRs for LDAP
services with the same priority values but different weight values.
The highest valued weight SRV record points to an LDAP Server that is
not available.
1. Using a Direct address, System queries Testing Tool's DNS for a CERT
Resource Record.
2. Testing Tool does not return a CERT Resource Record to the System
for the email address or the domain.
3. System queries Testing Tool's DNS for a SRV Resource Record for the
LDAP service.
4. Testing Tool returns multiple SRV Resource Records with the same
priority values but different weight values to the System.
5. The System SHOULD attempt to query the LDAP service with the
lowest priority value and the highest weight first using anonymous
binding and queries for a cert.
6. Testing Tool's LDAP service is unavailable.
7. The System attempts to query the LDAP service with the next highest
weight using anonymous binding.
8. Return to step 6 of DTS 505.                                         R

Preconditions: The Testing Tool's DNS contains multiple SRV RRs for
LDAP services with different priority values. The highest valued weight
SRV record points to an LDAP Server that does not contain a valid
certificate for the direct email address.
1. Using a Direct address, System queries Testing Tool's DNS for a CERT
Resource Record.
2. Testing Tool does not return a CERT Resource Record to the System
for the email address or the domain.
3. System queries Testing Tool's DNS for a SRV Resource Record for the
LDAP service.
4. Testing Tool returns multiple SRV Resource Records with the same
priority values and different weight values to the System.
5. The System SHOULD attempt to query the LDAP service with the
highest weight value first using anonymous binding and queries for a
cert.
6. Testing Tool's LDAP service returns an invalid certificate to the System
7. The System attempts to query the LDAP service with the next lowest
priority using anonymous binding.
8. Return to step 6 of DTS 505.                                             R
Preconditions: - Testing Tool's DNS contains a SRV RR for an LDAP
service.
1. Using a Direct address, System queries Testing Tool's DNS for a CERT
Resource Record.
2. Testing Tool does not return a CERT Resource Record to the System
for the email address or the domain.
3. System queries Testing Tool's DNS for a SRV Resource Record for the
LDAP service.
4. Testing Tool returns an SRV Resource Records for the Testing Tool's
LDAP Service.
5. The System queries the Testing Tool's LDAP service using anonymous
binding.
6. The Testing Tool's LDAP server returns the userCertificate attribute
with a referral to another server in the form of a URI.
7. The System queries the referred service.
8. Return to step 6 of DTS 505.
Alternate Flow:
1. From Step 6 of the Basic flow, the System chooses not to progress the R
operation to the referred LDAP server.
Preconditions:
- Testing Tool does not contain a certificate for the Direct address but
has an LDAP directory and a SRV record pointing to the LDAP service.
1. Using a Direct address, the System queries the Testing Tool's DNS for
a CERT Resource Record.
2. The Testing Tool does not return a CERT Resource Record to the
System for the email address or the domain.
3. The System queries the Testing Tool's DNS for a SRV Resource Record
for the LDAP service.
4. The Testing Tool returns an SRV Resource Record with a pointer to the
LDAP service to the System
5. The System queries the LDAP service and does not find the Direct
email address in the LDAP server.
6. The Reviewer verifies that the System did not discover the certificate R
and the mail message was not sent.
Preconditions:
- Testing Tool does not contain a certificate for the Direct address
1. Using a Direct address, the System queries the Testing Tool's DNS for
a CERT Resource Record.
2. The Testing Tool does not return a CERT Resource Record to the
System for the email address or the domain.
3. The System queries Testing Tool's DNS for a SRV Resource Record for
the LDAP service.
4. The Testing Tool does not have a SRV RR.
6. The Reviewer verifies that the System did not discover the certificate R
and the mail message was not sent.
Preconditions:
- Testing Tool does not contain a certificate for the Direct address but
has an LDAP directory and a SRV record pointing to the LDAP service.
1. Using a Direct address, the System queries the Testing Tool's DNS for
a CERT Resource Record.
2. The Testing Tool does not return a CERT Resource Record to the
System for the email address or the domain.
3. The System queries the Testing Tool's DNS for a SRV Resource Record
for the LDAP service.
4. The Testing Tool returns an SRV Resource Record with a pointer to the
LDAP service to the System
5. The System queries the LDAP service and does not find the Direct
email address in the LDAP server.
6. The Reviewer verifies that the System did not discover the certificate R
and the mail message was not sent.
Preconditions: The Testing Tool's DNS contains a SRV RRs for an LDAP
service.
1. Using a Direct address, System queries Testing Tool's DNS for a CERT
Resource Record.
2. Testing Tool does not return a CERT Resource Record to the System
for the email address or the domain.
3. System queries Testing Tool's DNS for a SRV Resource Record for the
LDAP service.
4. Testing Tool returns an SRV Resource Record with to the System.
5. The System queries the LDAP service using anonymous binding.         R
6. Testing Tool returns an "Undefined" response to the System.
                                                                        Conditional
                                                                        for Systems
                                                                        that use
Precondition: System's DNS has a Direct address-bound X.509 certificate DNS CERT
in the CERT Resource Record.                                            records for
1. The Testing Tool queries DNS for the System's certificate.           individual
2. The DNS returns the certificate to the Testing Tool.                 X.509
                                                                        certificates


                                                                         Conditional
                                                                         for Systems
                                                                         that use
                                                                         DNS CERT
                                                                         records for
Precondition: System's DNS has a Direct organizationally-bound X.509     organization
certificate in the CERT Resource Record.                                 ally-bound
1. The Testing Tool queries DNS for the System's certificate.            X.509
2. Return to step 2 of the basic flow.                                   certificates



                                                                        Conditional
                                                                        for Systems
                                                                        that use
                                                                        DNS CERT
Precondition: System's DNS has a Direct address-bound IPKIX certificate records for
in the CERT Resource Record.                                            individually
1. The Testing Tool queries DNS for the System's certificate.           bound IPKIX
2. Return to step 2 of the basic flow.                                  certificates

                                                                          Conditional
                                                                          for System's
                                                                          that store
Precondition: The System's DNS contains an CERT record.                   their
1. The Testing Tool queries DNS for the System's direct certificate using certificates
a mix of upper and lower case characters in the direct email address.     in LDAP
2. The System should return the CERT Record to the Testing Tool.          servers
1. The Testing Tool queries DNS for the System's certificate using UDP.
2. Return to step 2 of the basic flow.                                      Required




1. The Testing Tool queries DNS for the System's certificate using TCP.
2. Return to step 2 of the basic flow.                                      Required




Preconditions:
- System's DNS contains one SRV Resource Record for LDAP service.
- System's LDAP service contains an X.509 certificate.                      Conditional
1. The Testing Tool queries DNS for the System's certificate.               for Systems
2. The DNS returns no CERT records for the address or domain.               that use
3. The Testing Tool queries for an SRV record pointing to an LDAP server.   DNS to point
4. The DNS returns the System's LDAP information to the System.             to LDAP and
5. The Testing Tool queries the System's LDAP server using anonymous        store X.509
binding and discovers the certificate for the System's direct email         Certificates
address.                                                                    in their
6. The Reviewer verifies that the System has discovered the certificate."   LDAP server
                                                                          Conditional
Preconditions:                                                            for Systems
- System's DNS contains one SRV Resource Record for LDAP service.         that use
- System's LDAP service contains an X.509 certificate.                    DNS to point
1. The Testing Tool queries DNS for the System's certificate.             to LDAP and
2. The DNS returns no CERT records for the address or domain.             store X.509
3. The Testing Tool queries for an SRV record pointing to an LDAP server. organization
4. The DNS returns the System's LDAP information to the System.           al
5. The Testing Tool queries the System's LDAP server using anonymous Certificates
binding and discovers the organizational certificate for the System's     in their
direct email address domain name.                                         LDAP server




Precondition: The System's LDAP server contains a certificate for a direct
address

1. The Testing Tool queries DNS for the System's certificate.
2. The DNS returns no CERT records for the address or domain.                Conditional
3. The Testing Tool queries for an SRV record pointing to an LDAP server.    for System's
4. The DNS returns the System's LDAP information to the Testing Tool.        that store
5. The Testing Tool queries the System's LDAP server for the System's        their
direct certificate using a mix of upper and lower case characters in the     certificates
direct email address.                                                        in LDAP
6. The System returns the requested attributes to the Testing Tool.          servers
Precondition: The System's LDAP server contains a certificate for a direct
address

1. The Testing Tool queries DNS for the System's certificate.                Conditional
2. The DNS returns no CERT records for the address or domain.                for System's
3. The Testing Tool queries for an SRV record pointing to an LDAP server.    that store
4. The DNS returns the System's LDAP information to the Testing Tool.        their
5. The Testing Tool queries the System's LDAP server for the System's        certificates
direct certificate using an asterix to denote return any value that comes    in LDAP
before or after the asterixes.                                               servers




Precondition: The System's LDAP server contains a certificate for a direct
address

1. The Testing Tool queries DNS for the System's certificate.                Conditional
2. The DNS returns no CERT records for the address or domain.                for System's
3. The Testing Tool queries for an SRV record pointing to an LDAP server.    that store
4. The DNS returns the System's LDAP information to the Testing Tool.        their
5. The Testing Tool queries the System's LDAP server for the System's        certificates
direct certificate using AND and AND NOT filters.                            in LDAP
6. The System returns the requested attributes to the Testing Tool.          servers
Precondition: The System's LDAP server contains a certificate for a direct
address

1. The Testing Tool queries DNS for the System's certificate.                Conditional
2. The DNS returns no CERT records for the address or domain.                for System's
3. The Testing Tool queries for an SRV record pointing to an LDAP server.    that store
4. The DNS returns the System's LDAP information to the Testing Tool.        their
5. The Testing Tool queries the System's LDAP server for the System's        certificates
direct certificate using an OR filter.                                       in LDAP
6. The System returns the requested attributes to the Testing Tool.          servers




Precondition: The System's LDAP server contains a certificate for a direct
address

1. The Testing Tool queries DNS for the System's certificate.                Conditional
2. The DNS returns no CERT records for the address or domain.                for System's
3. The Testing Tool queries for an SRV record pointing to an LDAP server.    that store
4. The DNS returns the System's LDAP information to the Testing Tool.        their
5. The Testing Tool queries the System's LDAP server for the System's        certificates
direct certificate using the extensibleMatch and filters on the System's     in LDAP
direct email address.                                                        servers
Precondition: The System's LDAP server contains a certificate for a direct
address

1. The Testing Tool queries DNS for the System's certificate.                Conditional
2. The DNS returns no CERT records for the address or domain.                for System's
3. The Testing Tool queries for an SRV record pointing to an LDAP server.    that store
4. The DNS returns the System's LDAP information to the Testing Tool.        their
5. The Testing Tool queries the System's LDAP server for the System's        certificates
direct certificate using the greater than filter for the mail attribute      in LDAP
6. The System should return an "undefined" match to the Testing Tool.        servers




Precondition: The System's LDAP server contains a certificate for a direct
address

1. The Testing Tool queries DNS for the System's certificate.                Conditional
2. The DNS returns no CERT records for the address or domain.                for System's
3. The Testing Tool queries for an SRV record pointing to an LDAP server.    that store
4. The DNS returns the System's LDAP information to the Testing Tool.        their
5. The Testing Tool queries the System's LDAP server for the System's        certificates
direct certificate using the less than filter for the mail attribute.        in LDAP
6. The System returns the requested certificate to the Testing Tool.         servers
Precondition: The System's LDAP server contains a certificate for a direct
address

1. The Testing Tool queries DNS for the System's certificate.
2. The DNS returns no CERT records for the address or domain.                Conditional
3. The Testing Tool queries for an SRV record pointing to an LDAP server.    for System's
4. The DNS returns the System's LDAP information to the Testing Tool.        that store
5. The Testing Tool queries the System's LDAP server for the System's        their
direct certificate using a sizeLimit restriction.                            certificates
6. The System returns the requested certificate or returns a                 in LDAP
sizeLimitExceeded response.                                                  servers




Precondition: The System's LDAP server contains a certificate for a direct
address

1. The Testing Tool queries DNS for the System's certificate.
2. The DNS returns no CERT records for the address or domain.                Conditional
3. The Testing Tool queries for an SRV record pointing to an LDAP server.    for System's
4. The DNS returns the System's LDAP information to the Testing Tool.        that store
5. The Testing Tool queries the System's LDAP server for the System's        their
direct certificate using the timeLimit restriction in the filter.            certificates
6. The System MUST return the query within the asserted timeLimit or         in LDAP
return a timeLimitExceeded response.                                         servers
Precondition: The System's LDAP server contains a certificate for a direct
address

1. The Testing Tool queries DNS for the System's certificate.
2. The DNS returns no CERT records for the address or domain.                 Conditional
3. The Testing Tool queries for an SRV record pointing to an LDAP server.     for System's
4. The DNS returns the System's LDAP information to the Testing Tool.         that store
5. The Testing Tool queries the System's LDAP server for the System's         their
direct certificate filtering on the mail attribute AND the userCertificate.   certificates
6. The System returns entries where the mail attribute equals the             in LDAP
address provide AND the object also MUST contain a userCertificate.           servers




Precondition: The System's LDAP server contains a certificate for a direct
address

1. The Testing Tool queries DNS for the System's certificate.
2. The DNS returns no CERT records for the address or domain.
3. The Testing Tool queries for an SRV record pointing to an LDAP server.     Conditional
4. The DNS returns the System's LDAP information to the Testing Tool.         for System's
5. The Testing Tool queries the System's LDAP server for the System's         that store
direct certificate using the "mail" attribute with an empty                   their
SearchRequest.attributes field.                                               certificates
6. The System should return return of all user attributes for the address     in LDAP
provided.                                                                     servers
Precondition: The System's LDAP server contains a certificate for a direct
address

1. The Testing Tool queries DNS for the System's certificate.
2. The DNS returns no CERT records for the address or domain.
3. The Testing Tool queries for an SRV record pointing to an LDAP server.
4. The DNS returns the System's LDAP information to the Testing Tool.         Conditional
5. The Testing Tool queries the System's LDAP server for the System's         for System's
direct certificate using the mail attribute and requests all attributes and   that store
all operational attributes be returned using the * character.                 their
6. The System should return all user attributes in addition to other listed   certificates
(operational) attributes for the object that matches the queried direct       in LDAP
address.                                                                      servers




Precondition: The System's LDAP server contains a certificate for a direct
address

1. The Testing Tool queries DNS for the System's certificate.                 Conditional
2. The DNS returns no CERT records for the address or domain.                 for System's
3. The Testing Tool queries for an SRV record pointing to an LDAP server.     that store
4. The DNS returns the System's LDAP information to the Testing Tool.         their
5. The Testing Tool queries the System's LDAP server for the System's         certificates
direct certificate by sending duplicate userCertificate requests in the       in LDAP
SearchRequest.attributes field.                                               servers
Precondition: The System's LDAP server contains a certificate for a direct
address

1. The Testing Tool queries DNS for the System's certificate.
2. The DNS returns no CERT records for the address or domain.
3. The Testing Tool queries for an SRV record pointing to an LDAP server.    Conditional
4. The DNS returns the System's LDAP information to the Testing Tool.        for System's
5. The Testing Tool queries the System's LDAP server for the System's        that store
direct certificate using the correct mail attribute and requests an          their
unknown attribute to be returned by the System.                              certificates
6. The System should return the certificate to the Testing Tool and ignore   in LDAP
the unrecognized requested attributes.                                       servers

                                                                             Conditional
                                                                             for Systems
                                                                             with CERT
                                                                             or SRV
                                                                             records in
1. The Testing Tool queries DNS for the System's certificate using UDP.      DNS that are
2. The System responds with a truncated message (the header field            larger than
MUST indicate that the message is truncated).                                512 bytes
Precondition: The System's DNS contains a RR for a SRV record that
points to an LDAP server.                                                  Conditional
1. The Testing Tool queries DNS for the System's direct email address.     for Systems
2. The DNS points the Testing Tool to the LDAP server.                     that store
3. The Testing Tool attempts to connect to the LDAP server using a         certificates
username and a password of zero length.                                    in LDAP
4. The System should not allow the Testing Tool access to the directory.   servers




Precondition: The System's DNS contains a RR for a SRV record that
points to an LDAP server. The Testing Tool does queries for an email
address that the System does not have.
1. The Testing Tool queries DNS for the System's direct email address.     Conditional
2. The DNS points the Testing Tool to the LDAP server.                     for Systems
3. The Testing Tool connects to the System's LDAP server and does a        that store
query for an email address that the LDAP server does not have.             certificates
4. The System returns a SearchResultDone message with a noSuchObject       in LDAP
result code to the Testing Tool without returning any results.             servers
Precondition: The System's DNS contains a RR for a SRV record that
points to an LDAP server.
1. The Testing Tool queries DNS for the System's direct email address.      Conditional
2. The DNS points the Testing Tool to the LDAP server.                      for Systems
3. The Testing Tool attempts to connect to the LDAP server while            that store
another system is already bound to the LDAP server.                         certificates
4. The System's LDAP server SHOULD NOT process or respond to                in LDAP
requests received while processing a BindRequest.                           servers




Precondition: The System's DNS contains a RR for a SRV record that
points to an LDAP server.
1. The Testing Tool queries DNS for the System's direct email address.
2. The DNS points the Testing Tool to the LDAP server.                      Conditional
3. The Testing Tool binds to the LDAP server using anonymous                for Systems
authentication and uses the older version of the "mail" LDAP OID.           that store
4. The System MAY process the request if it is backward compatible or       certificates
may send an error in response if it is not backward compatible to the old   in LDAP
mail attribute OID.                                                         servers
Precondition: The System's DNS contains an RR for an SRV record that
points to an LDAP server.
1. The Testing Tool queries DNS for the System's direct email address.   Conditional
2. The DNS points the Testing Tool to the LDAP server.                   for Systems
3. The Testing Tool attempts to execute a query on the LDAP server       that store
without binding first.                                                   certificates
4. The System should not allow the Testing Tool access to the            in LDAP
directory.operationsError                                                servers
                         Data Load Notes for Individual Test
                         Cases - See the Test Data Matrix for
                         more comprehensive Certificate          Request
Additional Info/ Notes   Loading                                 Parameters
                         Load a valid certificate for
                         dts500@direct1.testteam.us in a DNS
                         CERT record.

                         Also load expired, unbound, revoked,
                         and invalid signature certificates in DNS
                         CERT records for
                         dts500@direct1.testteam.us. Add a
                         valid domain-bound certificate for
                         direct1.testteam.us to a DNS CERT
                         Record. Add a valid address-bound
                         certificate for
                         dts500@direct1.testteam.us to an LDAP
                         server and add an SRV record for that
                         server. Finally, add a valid domain-
                         bound certificate for direct1.testteam.us
                         to the same LDAP server. This will test
                         that the System does not skip a step in System: Use
                         the algorithm and choose the wrong        dts500@direct1.te
                         valid certificate.                        stteam.us




                         Load an invalid address-bound
                         certificate in a DNS record. Load a valid
                         certificate for the domain
                         direct1.testteam.us in a DNS CERT         System: Use
                         record. Have a valid domain-bound         dts501@direct1.te
                         certificate in an LDAP server.            stteam.us
                                  Load an invalid address-bound
                                  certificate in a DNS record. Load a valid
                                  certificate for the domain
                                  direct1.testteam.us in a DNS CERT         System: Use
                                  record. Have a valid address-bound        dts521@direct1.te
                                  certificate in an LDAP server.            stteam.us




                                  Load an invalid address-bound
                                  certificate in a DNS record. Load a valid
                                  certificate for the domain                System: Use
                                  direct1.testteam.us in a DNS CERT         dts522@direct1.te
                                  record.                                   stteam.us




                                  Load a valid address-bound certificate
If the System initiates the       in a DNS CERT record for
connection with UDP, it will need dts502@direct1.testteam.us. Make sure System: Use
to be able to switch to TCP and   this certificate size is larger than 512 dts502@direct1.te
initiate a new connection.        bytes                                    stteam.us




                                  Load a certificate for
                                  dts503@direct1.testteam.us into a
                                  server and obtain it's URI. Place the URI System:
                                  into a DNS CERT record for                dts503@direct1.te
                                  dts503.direct1.testteam.us                stteam.us
Load expired, unbound, revoked, and
invalid signature certificates in DNS
CERT records for
dts505@direct2.testteam.us

Add an SRV record to the DNS that
points to the Test Tool's LDAP Server.

Protocol: TCP
Priority: 0
Weight: 0

Load a valid certificate for
dts505@direct2.testteam.us into the       System:
LDAP server with the appropriate mail     dts505@direct2.te
attribute and InetOrgPerson Schema.       stteam.us



Load an invalid address-bound
certificate for
dts515@direct2.testteam.us in a DNS
CERT record. Load invalid domain-bound
certificates for direct2.testteam.us to
DNS CERT records.

Add an SRV record to the DNS that
points to the Test Tool's LDAP Server.

Protocol: TCP
Priority: 0
Weight: 0

Load an invalid address-bound
certificate for
dts515@direct2.testteam.us to this
LDAP server. Load a valid domain-bound System:
certificate for direct2.testteam.us into dts515@direct2.te
this server.                             stteam.us
Testing Tool: Add the following SRV
record to the DNS that points to the Test
Tool's LDAP Servers.

SRV Record 1
Protocol: TCP
Priority: 0
Weight: 0

Load an invalid certificate for
dts519@direct3.testteam.us

SRV Record 2
Protocol: TCP
Priority: 0
Weight: 0
                                            System:
Load a valid certificate for                dts519@direct3.te
dts519@direct3.testteam.us                  stteam.us
Testing Tool:

Add the following SRV records to the
DNS that point to the Test Tool's LDAP
Servers.



SRV Record 1
Protocol: TCP
Priority: 0
Weight: 0

Load a valid certificate for
dts506@direct2.testteam.us to this
server.

SRV Record 2
Protocol: TCP
Priority: 1
Weight: 0

Load a valid certificate for             System:
dts506@direct2.testteam.us to this       dts506@direct2.te
server.                                  stteam.us
Testing Tool: Add the following SRV
record to the DNS that points to the Test
Tool's LDAP Servers.

SRV Record 1 (make this LDAP server
unavailable)
Protocol: TCP
Priority: 0
Weight: 0

Load a valid certificate for
dts507@direct3.testteam.us

SRV Record 2
Protocol: TCP
Priority: 1
Weight: 0

Load a valid certificate for                System:
dts507@direct3.testteam.us                  dts507@direct3.te
                                            stteam.us
                                       Testing Tool: Add the following SRV
                                       record to the DNS that points to the Test
                                       Tool's LDAP Servers.

                                       SRV Record 1
                                       Protocol: TCP
                                       Priority: 0
                                       Weight: 0

                                       No valid certificate for
                                       direct3.testteam.us or for
                                       dts517@direct3.testteam.us

                                       SRV Record 2
                                       Protocol: TCP
                                       Priority: 1
                                       Weight: 0
                                                                                   System:
                                       Load a valid certificate for                dts517@direct2.te
                                       dts517@direct3.testteam.us                  stteam.us
The algorithm for choosing SRV         Testing Tool: Add the following SRV
records with the same priority         records to the DNS that point to the Test
values is as follows: Choose a         Tool's LDAP Servers.
uniform random number between
0 and the sum computed                 SRV Record 1
(inclusive), and select the RR         Protocol: TCP
whose running sum value is the         Priority: 0
first in the selected order which is   Weight: 3
greater than or equal to the
random number selected. The            Load a valid certificate for
target host specified in the           dts508@direct3.testteam.us
selected SRV RR is the next one to
be contacted by the client.            SRV Record 2
Remove this SRV RR from the set        Protocol: TCP
of the unordered SRV RRs and           Priority: 0
apply the described algorithm to       Weight: 1
the unordered SRV RRs to select
the next target host. Continue the     Load a valid certificate for                System:
ordering process until there           dts508@direct3.testteam.us                  dts508@direct3.te
are no unordered SRV RRs.                                                          stteam.us
Testing Tool: Add the following SRV
record to the DNS that points to the Test
Tool's LDAP Servers.



SRV Record 1 (make this LDAP server
unavailable)
Protocol: TCP
Priority: 0
Weight: 2

Load a valid certificate for
dts509@direct3.testteam.us.

SRV Record 2
Protocol: TCP
Priority: 0
Weight: 1                                   System:
                                            dts509@direct3.te
Load a valid certificate for                stteam.us
dts509@direct3.testteam.us.
Testing Tool: Add the following SRV
record to the DNS that points to the Test
Tool's LDAP Servers.

SRV Record 1
Protocol: TCP
Priority: 0
Weight: 2

Load an invalid certificate for
dts518@direct3.testteam.us

SRV Record 2
Protocol: TCP
Priority: 0
Weight: 1
                                            System:
Load a valid certificate for                dts518@direct2.te
dts518@direct3.testteam.us                  stteam.us
                                     Testing Tool: Add an SRV record to the
                                     DNS that points to the Test Tool's LDAP
                                     Server. An SRV resource record is used
                                     to point to an LDAP Server which returns
                                     a referral field in an LDAPResult if the
                                     resultCode is set to referral, and it is
                                     absent with all other result codes. The
                                     result contains one or more references
                                     to one or more servers or services that
                                     may be accessed via LDAP or other
If the client wishes to progress the protocols.
operation, it contacts one of the                                             System:
supported services found in the      Priority: 0                              dts510@testtool.o
referral.                            Weight: 0                                rg




                                   Do not load any certificates for       System:
                                   dts511@direct4.testteam.us in DNS      dts511@direct2.te
                                   CERT records or in any LDAP instances. stteam.us
                                  Load invalid address-bound and domain- System:
                                  bound certificates in DNS CERT records dts512@testtool.o
                                  for dts512@direct6.testteam.us         rg



                                  Load invalid address-bound and domain-
                                  bound certificates in CERT records for
                                  dts520@direct5.testteam.us and
                                  direct5.testteam.us

                                  Have an SRV record point to the LDAP
                                  server and populate it with invalid
                                  address-bound and domain-bound
                                  certificates for
                                  dts520@direct5.testteam.us and
                                  direct5.testteam.us                      System:
                                                                           dts520@direct2.te
                                                                           stteam.us




This tests that the System can    Load the Testing Tool's LDAP server
adequately handle the "undefined" with an InetOrgPerson entry that always dts513@direct2.te
response from the LDAP server     returns an "undefined" response         stteam.us
System: DNS CERT Record contains a
full email address formated as a domain
name (ex: drwho.direct.sunnyvalley.org)

Protocol: UDP or TCP

Provide Direct email address to the     System's direct
Testing Tool                            address
System: DNS CERT record does not
contain the email address formated as a
domain name (ex:
drwho.direct.sunnyvalley.org), but DOES
contain a CERT record for the domain of
the email address.

Protocol: UDP or TCP
                                         System's direct
Provide Direct email address to the
                                         address
Testing Tool
System: DNS CERT Record contains a
full email address formated as a domain
name (ex:
drwho.direct.sunnyvalley.org). The CERT
record contains a URI that points to the
certificate for the email address.

Protocol: UDP or TCP
                                          System's direct
Provide Direct email address to the
                                          address
Testing Tool



System: Have a certificate for a direct
email address.                           Use a mix of upper
                                         and lower case
Provide the email address to the Testing letters to query for
Tool                                     the CERT record
System: DNS CERT Record contains a
certificate for the organization.

Protocol: Initiate with UDP

Provide Direct email address to the         System's direct
Testing Tool                                address

System: DNS CERT Record contains a
certificate for the organization.

Protocol: Initiate with TCP

Provide Direct email address to the         System's direct
Testing Tool                                address




System: Add a SRV record to the DNS
that points to the Test Tool's LDAP
Server. Load an X.509 certificate for the
direct email address into the LDAP
server.

Provide Direct email address to the         System's direct
Testing Tool                                address
System: Add a SRV record to the DNS
that points to the Test Tool's LDAP
Server. Load an X.509 certificate for the
direct email address into the LDAP
server.

Provide Direct email address to the         System's direct
Testing Tool                                address




                                         System's direct
System: Have a certificate for a direct address in
email address.                           different case
                                         from the "mail"
Provide the email address to the Testing attribute in the
Tool                                     LDAP server
                                          filteritem: mail
                                          [System's direct
                                          address with an *
                                          2 places from the
                                          beginning and end
                                          of the string]

                                         ex: System's email
                                         address is
System: Have a certificate for a direct happydoc@doctor
email address.                           s.com. The query
                                         would be:
Provide the email address to the Testing *ppydoc@doctors.
Tool                                     c*




                                           (mail=[System's
                                          direct address])

                                          (!(mail=joelamy@i
                                          njira.com))

                                          (&(objectClass=In
                                          etOrgPerson)
System: Have a certificate for a direct
email address.
                                         SearchRequest.att
Provide the email address to the Testing ributes =
Tool                                     userCertificate
                                                                               (mail=[System's
                                                                              direct address])

                                                                              (|(mail=joelamy@i
                                                                              njira.com))
                                    System: Have a certificate for a direct
                                    email address.
                                                                             SearchRequest.att
                                    Provide the email address to the Testing ributes =
                                    Tool                                     userCertificate
                                                                              baseObject="dn"

                                                                              scope="wholeSubt
                                                                              ree"



                                                                              SearchRequest.ext
                                                                              ensibleMatch(1.3.
If the type field is absent and the                                           6.1.4.1.1466.109.1
matchingRule is present, the                                                  14.2=[System's
matchValue is compared against                                                direct address])
all attributes in an entry that     System: Have a certificate for a direct
support that matchingRule.          email address.
                                                                             SearchRequest.att
1.3.6.1.4.1.1466.109.114.2 = the    Provide the email address to the Testing ributes =
'caseIgnoreIA5Match' rule ID        Tool                                     userCertificate
                                                                               baseObject="dn"

                                                                               scope="wholeSubt
                                                                               ree"



                                                                               SearchRequest.gre
                                                                               aterOrEqual field
                                                                               = [System's direct
                                                                               address without
                                                                               one character]
                                     System: Have a certificate for a direct
An undefined response is likely      email address.
because the IA5caseIgnoreString                                               SearchRequest.att
does not have an ordering            Provide the email address to the Testing ributes =
mechanism                            Tool                                     userCertificate

                                                                               baseObject="dn"

                                                                               scope="wholeSubt
                                                                               ree"



                                                                               SearchRequest.les
                                                                               sOrEqual =
                                                                               [System's direct
                                                                               address]
                                     System: Have a certificate for a direct
                                     email address.
                                                                              SearchRequest.att
Because this equals the string, it   Provide the email address to the Testing ributes =
should resolve to TRUE               Tool                                     userCertificate
                                          baseObject="dn"

System: Have a certificate for a direct  scope="wholeSubt
email address.                           ree"
                                         (mail=[System's
Provide the email address to the Testing direct address])
Tool                                     sizeLimit=1




                                          baseObject="dn"

System: Have a certificate for a direct  scope="wholeSubt
email address.                           ree"
                                         (mail=[System's
Provide the email address to the Testing direct address])
Tool                                     timeLimit=1
                                          baseObject="dn"

                                         scope="wholeSubt
                                         ree"
                                         filteritem mail =
System: Have a certificate for a direct [system's mail]
email address.                           AND
                                         filteritem
Provide the email address to the Testing userCertificate
Tool                                     present




                                          baseObject="dn"

                                          scope="wholeSubt
                                          ree"
System: Have a certificate for a direct   mail=([System's
email address.                            direct address])

Provide the email address to the Testing SearchRequest.att
Tool                                     ributes = NULL
                                           baseObject = "dn"

                                           scope="wholeSubt
System: Have a certificate for a direct    ree"
email address.
                                         (mail=[System's
Provide the email address to the Testing direct address])
Tool                                     attributes=(*)




System: Have a certificate for a direct
email address.

Provide the email address to the Testing
Tool
                                          baseObject = "dn"

                                          scope="wholeSubt
                                          ree"

System: Have a certificate for a direct   (mail=[System's
email address.                            direct address])

Provide the email address to the Testing attributes=foo;use
Tool                                     rCertificate;

System: DNS contains a CERT or SRV RR
that is larger than 512 bytes.
                                          - A direct email
Protocol: Initiate with UDP               address
                                          associated to a
Provide Direct email address that         certificate that is
requires the Testing Tool to obtain the   larger than 512
record that is larger than 512 bytes.     bytes
System: Have a certificate for a direct
email address in LDAP server             Bind to the System
                                         using username
Provide the email address to the Testing and password
Tool                                     authentication




                                          baseObject = "dn"

                                          scope=wholeSubtr
                                          ee
System: Have a certificate for a direct
email address in LDAP server             (mail=[a direct
                                         address that the
Provide the email address to the Testing System does not
Tool                                     have])
                                          baseObject = "dn"

System: Have a certificate for a direct   scope=wholeSubtr
email address in LDAP server              ee

Provide the email address to the Testing (mail=[system's
Tool                                     direct address])




                                          baseObject = "dn"

                                          scope=wholeSubtr
                                          ee

                                         filter item mail
                                         (use
System: Have a certificate for a direct 0.9.2342.1920030
email address in LDAP server             0.100.3.5 for the
                                         OID) = [the
Provide the email address to the Testing System's direct
Tool                                     address]
                                          baseObject = "dn"

                                          scope=wholeSubtr
System: Have a certificate for a direct   ee
email address in LDAP server
                                         filteritem mail =
Provide the email address to the Testing [system's direct
Tool                                     address]
                         Underlying
Expected                 Specification
Response           RTM   Reference




System should            - RFC 4398:
retrieve and use         Section 2.1
the address-bound        - Direct
certificate hosted       Applicability
by the DNS in a          Statement for
CERT record at           Secure Health
dts500.direct1.test 1    Transport:
team.us             3    Section 5.3

                         - RFC 4398:
System should            Section 2.1
retrieve and use         - Direct
the domain-bound         Applicability
certificate hosted       Statement for
by the DNS in a          Secure Health
CERT record at           Transport:
direct1.testteam.u 1     Sections 4.0 and
s                  3     5.3
                          - RFC 4398:
System should             Section 2.1
retrieve and use          - Direct
the domain-bound          Applicability
certificate hosted        Statement for
by the DNS in a           Secure Health
CERT record at            Transport:
direct1.testteam.u 1      Sections 4.0 and
s                  3      5.3



                          - RFC 4398:
System should             Section 2.1
retrieve and use          - Direct
the domain-bound          Applicability
certificate hosted        Statement for
by the DNS in a           Secure Health
CERT record at            Transport:
direct1.testteam.u 1      Sections 4.0 and
s                  3      5.3
                          - Direct
                          Applicability
System should
                          Statement for
retrieve and use
                          Secure Health
the address-bound
                          Transport:
certificate hosted
                          Section 5.4
by the DNS in a
                          - RFC 1035:
CERT record at        1
                          Section 4.2
dts502.direct1.test   3
                          - RFC 4298:
team.us               4
                          Section 4
System should
                          - RFC 4398:
retrieve and use
                          Section 2.1
the address-bound
                          - Direct
certificate as
                          Applicability
pointed to by the
                          Statement for
DNS in a CERT
                          Secure Health
record at
                      1   Transport:
dts503.direct1.test
                      3   Section 5.3
team.us
                    2
                    3
                    5
                    6
                    7
                    8
                    9
                    10
                    11
                    12
                    14
                    15
System should       16
retrieve and use 17
the address-bound 19
certificate located 20
in the LDAP server 21
                    22




System should
retrieve and use
the domain-bound
certificate located
in the LDAP server       22
                        - RFC 2782: Page
System should           3, Priority and
retrieve and use        Weight Sections
the valid address-      - Applicability
bound certificate       Statement for
located in the          Secure Health
lower priority     15   Transport:
LDAP server        18   Section 4
System should
retrieve the valid 15   RFC 2782: Page
dts506 certificate 18   3, Priority
from SRV Record 1 22    Section
System should
retrieve and use
the certificate         RFC 2782: Page
from the available 15   3, Priority
LDAP server        18   Section
                         - RFC 2782: Page
                         3, Priority
                         Section
                         - Applicability
System should            Statement for
retrieve and use         Secure Health
the certificate   15     Transport:
from SRV record 2 18     Section 4




In the absence of
a protocol whose
specification calls
for the use of
other weighting
information, the
certificate from
SRV record 1
should be chosen
3/5 of the time
and the certificate
from SRV record 2        RFC 2782: Page
should be chosen 16      3, Weight
2/5 of the time.    18   Section
The System should
retrieve the valid      RFC 2782: Page
certificate from   16   3, Weight
SRV Record 2.      18   Section




                        - RFC 2782: Page
                        3, Weight
                        Section
                        - Applicability
The System should       Statement for
retrieve the valid      Secure Health
certificate from   15   Transport:
SRV Record 2.      18   Section 4
The System may
proceed with
querying the
referral service. If
they do proceed,
they should
receive a valid
certificate for the
email address                  RFC 4511:
provided                    22 Section 4.1.10




                       1
                       3
No results             18
             1
             3
No results   18




             3
No results   22




             20   RFC 4511:
Undefined    22   4.5.1.7
                        - RFC 4398:
                        Section 2.1
                        - Direct
The Testing tool        Applicability
should return the       Statement for
X509 certificate        Secure Health
for the email     1     Transport:
address provided 3      Section 5.3



                        - RFC 4398:
                        Section 2.1
                        - Direct
The Testing tool        Applicability
should return the       Statement for
X509 certificate        Secure Health
for the email     1     Transport:
address provided 3      Section 5.3



                        - RFC 4398:
                        Section 2.1
                        - Direct
The Testing tool        Applicability
should return the       Statement for
X509 certificate        Secure Health
for the email     1     Transport:
address provided 3      Section 5.3
                        - RFC 4398:
                        Section 2.1
                        - Direct
- Should return the
                        Applicability
certificate
                        Statement for
associated with
                        Secure Health
the System's        1
                        Transport:
direct address      3
                        Section 5.3
The Testing tool
should return the
X509 certificate
for the email          - Direct
address provided.      Applicability
It may initially       Statement for
return a truncated     Secure Health
response because       Transport:
the certificate is     Section 5.4
larger than 512    1   - RFC 1035:
bytes.             3   Section 4.2
                       - Direct
                       Applicability
                       Statement for
The Testing tool
                       Secure Health
should return the
                       Transport:
X509 certificate
                       Section 5.4
for the email     1
                       - RFC 1035:
address provided 3
                       Section 4.2
                  2
                  3
                  5
                  6
                  7
                  8
                  9
                  10
                  11
                  12
                  13
                  14
                  15
The Testing tool 16
should return the 17
X509 certificate  19
for the email     20   - RFC 2798:
address provided 21    Section 9.1.2
                  22
                    2
                    3
                    5
                    6
                    7
                    8
                    9
                    10
                    11
                    12
                    13
                    14
                    15
The Testing tool    16
should return the   17
X509 certificate    19
for the email       20   - RFC 2798:
address provided    21   Section 9.1.2
                    22
                    2
                    3
                    5
                    6
                    7
                    8
                    9
                    10
                    11
                    12
                    13
                    14
                    15
The Testing tool    16
should return the   17
X509 certificate    19
for the email       20   - RFC 2798:
address provided    21   Section 9.1.3
                    22
                  2
                  3
                  5
                  6
                  7
                  8
Should return all 9
entries where the 10
mail attribute    11
equals the        12
characters in     13
between the       14
asterixes. There 15
can be any        16
number or type of 17
characters before 19
or following the  20   - RFC 4515:
asterixes.        21   Section 3
                  22
                  2
                  3
                  5
                  6
                  7
                  8
                  9
                  10
                  11
                  12
                  13
                  14
                  15
                  16
                  17
                  19
System's direct   20   - RFC 4515:
certificate       21   Section 3
                  22
                  2
                  3
                  5
                  6
                  7
                  8
                  9
                  10
                  11
                  12
                  13
                  14
                  17
                  19
System's direct   20   - RFC 4515:
certificate       21   Section 3
                  22
                  2
                  3
                  5
                  6
                  7
                  8
                  9
                  10
                  11
                  12
                  13
                  14
                  17
                  19
System's direct   20   RFC 4511:
certificate       21   Section 4.5.1.7.7
                  22
                  2
                  3
                  5
                  6
                  7
                  8
                  9
                  10
                  11
                  12
Filter should     13
resolve to        14
Undefined and     17
should not return 19   RFC 4511:
the direct        20   Sections 4.5.1.7
certificate       21   and 4.5.1.7.3
                  22
                  2
                  3
                  5
                  6
                  7
                  8
                  9
                  10
                  11
                  12
                  13
                  14
                  17
Should return     19
System's direct   20   RFC 4511:
certificate       21   Section 4.5.1.7.4
                  22
                  2
                  3
                  5
                  6
                  7
                  8
                  9
                  10
                  11
                  12
                  13
Either the        14
System's direct   17
certificate or a  19
sizeLimitExceeded 20   RFC 4511:
error.            21   Section 4.5.1.4
                  22
                  2
                 3
                 5
                 6
                 7
                 8
                 9
                 10
                 11
                 12
                 13
Either the       14
System's direct  17
certificate or a 19    RFC 4511:
timeLimitExceede 20    Section 4.5.1.5
d error.         21    and A.2
                 22
                   2
                   3
                   5
                   6
                   7
                   8
                   9
                   10
                   11
Entries where the 12
mail attribute     13
equals the         14
address provide 17
AND the object     19
also MUST contain 20      RFC 4511:
a userCertificate. 21     Section 4.5.1.7.6
                   22
                   2
                     3
                     5
                     6
                     7
                     8
                     9
                     10
                     11
                     12
                     13
                     14
                     17
                     19
Should return of 20       RFC 4511:
all user attributes. 21   Section 4.5.1.8
                     22
                   2
                   3
                   5
                   6
                   7
                   8
Should return all 9
user attributes in 10
addition to other 11
listed             12
(operational)      13
attributes for the 14
object that        17
matches the        19
queried direct     20   RFC 4511:
address.           21   Section 4.5.1.8
                   22
                   2
                  3
                  5
                  6
                  7
                  8
                  9
                  10
                  11
                  12
                  13
                  14
                  17
                  19
                  20    RFC 4511:
                  21    Section 4.5.1.8
                  22
                   2
                   3
                   5
                   6
                   7
                   8
The server should 9
return the         10
attributes that it 11
recognizes. If an 12
attribute          13
description in the 14
list is not        17
recognized, it is  19
ignored by the     20   RFC 4511:
server.            21   Section 4.5.1.8
                   22   - Direct
                        Applicability
                        Statement for
                        Secure Health
                        Transport:
                        Section 5.4
                  1
                        - RFC 1035:
                  3
                        Sections 4.1.1
    #NAME?        4
                        and 4.2
               2
               3
               5
               6
               7
               8
               9
               10
               11
               12
               13
               14
               17
               19
               20   RFC 4513:
    #NAME?     21   Section 5.1.2
               22
               2
               3
               5
               6
               7
               8
               9
               10
               11
               12
               13
               14
               17   - RFC 4511:
               19   Section 4.5.2
               20   - RFC 4511:
noSuchObject   21   Appendix A.2
               22
                  2
                  3
                  5
                  6
                  7
                  8
                  9
                  10
                  11
                  12
There should be a 13
delay in response 14
until the pending 17
LDAP bind is      19
either abandoned 20     RFC 4511:
or competed.      21    Section 4.2.1
                  22
                  2
                   3
                   5
                   6
                   7
                   8
                   9
                   10
                   11
                   12
                   13
The System MAY     14
process the        17
request or may     19
send an error in   20   RFC 2798:
response.          21   Section 9.1.3
                   22
                   2
                   3
                   5
                   6
                   7
                   8
                   9
                   10
                   11
                   12
                   13
                   14
The System should 17
responde with      19
directory.operatio 20   RFC 4511:
nsError            21   Section 4.2.1
                   22
                                                                                                    domain direct1.
Items marked in
brown indicate
the certificate
that should be
chosen                                                                       DNS

                                                address-bound                     domain-bound
                     Test case
                     (email
                     address)       Notes       valid           invalid           valid

                                                               othercert.p12
                                                               (This is not the
                                                               correct address.   dts501_valid.p1
Basic algorithm:     DTS 500                                   It is for          2 (should have
prove they choose    (dts500@di                                othercert@dire     chosen the
valid certs in       rect1.testte               dts500_valid_c ct1.testteam.us    address bound
order of algorithm   am.us)                     ert_record.p12 )                  first)




                     DTS 501
                     (dts501@di                                 dts501_expired.
                     rect1.testte                               p12 (Expired    dts501_valid.p1
                     am.us)                                     Certificate)    2




                                  Not
                     DTS 521      currently
                     (dts521@di Modeled in                      dts521_expired.
                     rect1.testte our Testing                   p12 (Expired    dts521_valid.p1
                     am.us)       Tool                          Certificate)    2
                            dts501_valid.p1
DTS502                      2 (should have
(dts502@di                  chosen the
rect1.testte                address bound
am.us)         dts502.p12   first)




DTS505
(dts505@di
rect2.testte
am.us)




DTS515
(dts515@di
rect2.testte
am.us)
DTS506
(dts506@di Search
rect2.testte based on
am.us)       SRV priority




             Query for
             Direct
             address
             from LDAP
             servers
             based on
             priority
DTS507       value - One
(dts507@di LDAP
rect3.testte instance
am.us        unavailable
             Query for
             Direct
             address
             from LDAP
             servers
             based on
             priority
             value - one
             LDAP
DTS517       Instance
(dts517@di does not
rect3.testte return a
am.us)       valid
             certificate
             Query two
               LDAP
               servers -
               One LDAP
               Instance
DTS519
               does not
(dts519@di
               return a
rect3.testte
               valid
am.us)
               certificate
               No
               certificate
DTS511         found in
(dts511@di     DNS CERT or
rect4.testte   LDAP
am.us)         instance
             No valid
             Certificate
DTS520       found in
(dts520@di DNS CERT or
rect5.testte LDAP
am.us)       instance
                                No
                                certificate
                 DTS512         found in
                 (dts512@di     DNS CERT
                 rect6.testte   and no SRV
                 am.us)         records
                                Invalid
                 DTS522         address, but
                 (dts522@di     valid
Not Modeled in   rect7.testte   domain
our tool         am.us)         bound
  domain direct1.testteam.us




                                                    LDAP 1: p 0 w 0                                  DNS

                     address-bound                         org-bound                      address-bound


invalid              valid                invalid          valid                invalid   invalid
direct9.testtea
m.us.p12
                     dts500_valid_ld                       dts501_valid_ld
(wrong domain
                     ap.p12 (should                        ap.p12 (should
and should
                     have chosen                           have chosen
have chosen
                     the address                           the address
the address
                     bound                                 bound
bound
                     certificate first)                    certificate first)
certificate first)




                                                           dts501_valid_ld
                                                           ap.p12 (should
                                                           have chosen
direct9.testtea                                            the DNS CERT
m.us.p12                                                   domain-bound
(wrong domain)                                             certificate first)




                                                           dts501_valid_ld
                                                           ap.p12 (should
                                                           have chosen
direct9.testtea                                            the DNS CERT
m.us.p12        dts521_address                             domain-bound
(wrong domain) _ldap.p12                                   certificate first)
direct9.testtea
m.us.p12
(wrong domain        dts501_valid_ld
and should           ap.p12 (should
have chosen          have chosen
the address          the address
bound                bound
certificate first)   certificate first)




                                          dts505_expired
                                          _cert_record.p1
                                          2 (shouldn't use
                                          this because it
                                          is expired)
                            domain direct2.testteam.us




DNS                        LDAP 1: p0 w0                              LDAP 2: p1 w0

 org-bound   address-bound address-bound domain-bound address bound


 invalid     valid        invalid          valid         valid        invalid
               O8 isn't in the
               ldap because it
               would break the
               system.




                             dts515_mac.p1
                             2 ( this is a
                             domain bound
                             certificate and
              dts505_unboun should not be
              d.p12 (This    used because
              certificate is there is a valid
dts505_mac.p1 not bound      address bound
2             correctly)     certificate)

                                               dts515_address
                                               _bound.p12
                                               (This is a lower
                                               priority SRV
                                               Record and
                                               therefore
                                 dts515_mac.p1 should not be
                                 2             used).
                 dts515_mac.p1
                 2 ( this is a
                 domain bound       dts506_ldap_2.
                 certificate and    p12 (This is a
                 should not be      lower priority
                 used because       SRV Record and
                 there is a valid   therefore
dts506_ldap_1_   address bound      should not be
mac.p12          certificate)       used).
                                                                 direct3.testteam.us




P 2: p1 w0                   LDAP 1: p1 w0                           LDAP 2: p2 w0

             address-bound                           address bound


             valid           invalid         valid   valid           invalid
dts507.p12
(LDAP entry but
no certificate)   dts517.p12


dts519_expired
_ldap1_new.p1
2 ( This
Certificate is
expired and
should not be     dts519_valid_ld
used)             ap_2.p12
.testteam.us                                                    direct5.testteam.us




P 2: p2 w0                     LDAP: p2 w0              DNS

               address bound                 address bound domain bound


               valid                         invalid      invalid
Theoretically, a
valid dts507
certificate
would be
installed on this
LDAP instance,
but it is in fact
not a run
instance and
therefore, the
certificate
doesn't need to
be loaded.
dts520_invalid_   dts520_invalid_
address_cert      domain_cert
(shouldn't use    (shouldn't use
this because      this because
it's expired)     it's expired)
direct5.testteam.us                        direct6.testteam.us         direct7.testteam.us




                  LDAP 1: p0 w0
              instance name: ldap2                DNS                         DNS

         address-bound domain-bound address bound domain bound address bound


         invalid        invalid      invalid        invalid      invalid        valid
dts520_invalid_   dts520_invalid_
address_ldap      domain_ldap
(shouldn't use    (shouldn't use
this because      this because
it's expired)     it's expired)
dts512_expired   expired_direct6
_address_cert    _domain_cert
(shouldn't use   (shouldn't use
this because     this because
it's expired)    it's expired)




                                   dts522_invalid_ dts522_valid_d
                                   address.p12     omain.p12

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:4/24/2014
language:English
pages:122