FPT_TUD_EXT.1.4 relation to FIA_X509_EXT.1 and FIA_X509_EXT.2

[sckgh]

Suggest that if digital signing capability is invoked from the application for FPT_TUD_EXT.1.4, than FIA_X509_EXT.1 and FIA_X509_EXT.2 are selected for certificate validation.

This may necessitate iteration for identity and code signing in the ST.

Suggested wording:

FPT_TUD_EXT.1.4 Application updates shall be digitally signed that the application platform can cryptographically verify [selection: using certificates in conformance with FIA_X509_EXT, using certificates provided by the operational environment] prior to installation

[jmcdaniels]

The application signatures are verified by the platform. The application must leverage the platform for this service, this is described in platform PPs such as FPT_TUD_EXT.2 in the GP OS PP.

https://www.niap-ccevs.org/static_html/protection-profile/469/OS%204.3%20PP/index.html#FPT_TUD_EXT.2.2

I don't see a need for this update in the App PP.