robertmclemons
commented
3 years ago Agreed. Modified as suggested. Also added a line to the App Note regarding "other uses," which would include integrity checks or whatever. So this means that this SFR is included in the ST based on those selections, or if X509-based auth is used for "other uses."
In the application note for FIA_X509_EXT.2 it requires this SFR to be included when digital signatures are claimed for FPT_TUD_EXT.1.3. However, the SFR claim for FIA_X509_EXT.2.1 splits out protocol use from non-protocol use creating an inconsistency in claims. That is, if I only use X.509 certs for trusted update, then I should be able to claim only "code signing for system software updates" without needing to claim the protocols in the first selection. In addition, there is an orphaned selection "code signing for integrity verification" which doesn't appear to have any rules for selection applied (I suspect it is based on a non-existent FPT_TST_EXT.2 SFR template).
Perhaps a change like the following?
FIA_X509_EXT.2.1 The TSF shall use X.509v3 certificates as defined by RFC 5280 to support authentication for [selection: IPsec, TLS, HTTPS, SSH, code signing for system software updates, [assignment: other uses]].