jfisherbah
commented
4 weeks ago Both of these are intended to be CA functionality. FDP_CER_EXT.2.1 is the CA end of the request checking and is part of the accountability requirement for a CA to issue only authorized certificates. No change made. Believe can be closed.
FDP_CER_EXT.2.1 says, "establish a linkage from certificate requests from a supported TOE function to issued certificates" This sounds like it is specifying end-entity FIA_X509_EXT.3 functionality for matching a signed certificate to a generated request.
FDP_CER_EXT.2.2 says, "The TSF shall [selection: revoke, not issue ] certificates that cannot be associated with..." This sounds more like a CA function (which is consistent with FIA_XCM_EXT.2); however, it's not clear when "revoke" would be applicable.
It appears FDP_CER_EXT.2.1 should be removed and FDP_CER_EXT.2.2 should be updated so it only specifies "not issue."