The Network Interpretations Team (NIT) has issued a technical decision regarding the FIA_X509_EXT requirement in the NDcPP v1.0 and FW cPP v1.0 regarding
the timing of verification of revocation status for X.509 certificates

To align with the NIT interpretation #09, the cPP has been modified to add an application note for FIA_X509_EXT.1.1 and the SD has been updated with additional evaluation activities for FIA_X509_EXT.1, FPT_TST_EXT.2, FPT_TUD_EXT.2 as written below. For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI09.pdf.

Application Note for FIA_X509_EXT.1.1 (NDcPP v1.0):
The TSS shall describe when revocation checking is performed. It is expected that revocation checking is performed when a certificate is used in an authentication step and when performing trusted updates (if selected). It is not sufficient to verify the status of a X.509 certificate only when it is loaded onto the device. It is not necessary to verify the revocation status of X.509 certificates during power-up self-tests (if the option for using X.509 certificates for self-testing is selected).

Addition to SD (v1.0), Section 2.3.5.1 - TSS FIA_X509_EXT.1:
“The evaluator shall ensure the TSS describes when the check of validity of the certificates takes place. It is expected that revocation checking is performed when a certificate is used in an authentication step and when performing trusted updates (if selected). It is not sufficient to verify the status of a X.509 certificate only when it's loaded onto the device. It is not necessary to verify the revocation status of X.509 certificates during power-up self-tests (if the option for using X.509 certificates for self-testing is selected).”

Addition to SD (v1.0), Section 2.3.5.2 – Tests FIA_X509_EXT.1 – general, before the description of tests:
“The evaluator shall demonstrate that checking the validity of a certificate is performed when a certificate is used in an authentication step or when performing trusted updates (if FPT_TUD_EXT.2 is
selected). It is not sufficient to verify the status of a X.509 certificate only when it is loaded onto the device. It is not necessary to verify the revocation status of X.509 certificates during power-up self-tests (if the option for using X.509 certificates for self-testing is selected).”

Addition to SD, (v1.0). Section 2.5.4.1 – Tests FPT_TST_EXT.2:
“It is not necessary to verify the revocation status of X.509 certificates during power-up.”

Addition to SD (v1.0), Section 2.5.6.1 – TSS FPT_TUD_EXT.2:
“The TSS shall describe when revocation checking is performed. It is expected that revocation checking is performed when a certificate is used when performing trusted updates. It is not sufficient to verify the status of a X.509 certificate only when it is loaded onto the device.”

Addition to SD (v1.0), Section 2.5.6.3 – Tests FPT_TUD_EXT.2:
“The evaluator shall demonstrate that checking the validity of a certificate is performed when a certificate is used when performing trusted updates .It is not sufficient to verify the status of a X.509
certificate only when it is loaded onto the device.”

See issue description.