@@ -1249,20 +1249,23 @@ The product shall provide a method to read all data and settings from the produc
* Verdict: All data and settings can be read by the authorized user, and no data or setting can be read by an unauthorized user => PASS, otherwise FAIL
* Evidence: List of data and settings, log message showing success or failure of each read by the authorized user and, if applicable, the unauthorized user
#### 5.2.17.3 MI-SDTR: Secure data transfer to another product (### 5.14.N DRT)
#### 5.2.17.3 MI-SDTR: Secure data export (### 5.14.N DRT)
***\[REQ-DRT-h6jg0]** If the product provides a method to transfer data and settings to another product, it shall do so securely.
> NOTE: Depending on use case, export of user data and settings may or may not be a desirable security feature for a VPN product, or indeed even possible. For example, enterprise users likely wish to export and independently back up configurations, while users of consumer VPNs may have bespoke clients installed that could not re-use configuration data.
***\[REQ-DRT-n485d-0]** The product shall provide a method to export configuration data to a local file or external medium.
***\[REQ-DRT-n485d-1]** The product shall by default warn users if the export will include private keys or other sensitive data in plain text.
[//]:#(### 6.14.N DRT)
* Applicability: Product has the capability for the user to write data and/or settings and to transfer that data to another product.
* Requirement: **REQ-DRT-h6jg0**
* Applicability: Product has the capability for the user to write data and/or settings, and the manufacturer explicitly supports the export of that data to an external file. Strictly applicable to use cases where an IT professional can reasonably be expected to administer the product.
* Requirement: **REQ-DRT-n485d**
* Reference: TR-SDTR
* Objective: Secure data transfer
* Preparation: Prepare methods by which an unauthorized user could read the data during transfer as outlined in the risk assessment
* Activities: Read the data or settings, initiate the data transfer, attempt to read or alter the transferred data and settings as an unauthorized user, read the new data and settings on the target product
* Verdict: No data or settings could be read or altered by an an unauthorized user, and the data and settings read from the original product and target product are the same wherever technically possible => PASS, otherwise FAIL
* Evidence: List of data and settings, log messages from the attempts to read or alter data as the unauthorized user, data and settings as read from the source product and as read from the target product, comparison explaining technical reasons for any differences in the two versions
* Preparation: Identify the methods provided by the product to export the data to a local file.
* Activities: Authenticate as an authorized user, read the data or settings, and initiate the export. Open and read the exported file.
* Verdict: The export completes successfully, the data and settings reflect those on the product from which the export was performed, product displayed warning if private keys or credentials were included in plaintext export => PASS, otherwise FAIL
* Evidence: List of exported data and settings, log messages from the export in direct response to user action, and exported configuration reflecting accurate representation of product settings.