FDP_DAR_EXT.1 is for sensitive application data, but then the third bullet states that sensitive data could be protected according to FCS_STO_EXT.1, which is specifically about credentials. While this does meet the definition of sensitive data (which includes credentials and keys), it seems to be putting too many things into that bucket.
I think it would be best to keep credentials and keys as one item (covered specifically by FCS_STO_EXT.1) and then Sensitive data to be everything else.
Just to keep things clean, having "data" and "keys" mixed as "sensitive data" is confusing, and ideally should be minimized.
FDP_DAR_EXT.1 is for sensitive application data, but then the third bullet states that sensitive data could be protected according to FCS_STO_EXT.1, which is specifically about credentials. While this does meet the definition of sensitive data (which includes credentials and keys), it seems to be putting too many things into that bucket.
I think it would be best to keep credentials and keys as one item (covered specifically by FCS_STO_EXT.1) and then Sensitive data to be everything else.
Just to keep things clean, having "data" and "keys" mixed as "sensitive data" is confusing, and ideally should be minimized.