The NIT has issued a technical decision for Clarification about application of RfI#201726rev2

The use of ‘endpoint’ and ‘external IT entities’ terms in RFI201726rev2 were not intended to restrict the statements applicability to machine-to-machine connections. The RfI explicitly refers to the requirements for TLS Servers. A TLS Server is expected to be capable of authenticating itself to external IT entities using X.509 certificates – independently whether mutual authentication is supported (FCS_TLSS_EXT.2) or not (FCS_TLSS_EXT.1) and independently whether the communication takes place over a trusted channel, a trusted path or Inter-TOE communication (distributed TOEs). Therefore a TLS Server shall also be capable of generating Certificate Requests which implies that FIA_X509_EXT.3 needs to be claimed.

The following paragraph shall be added to the general text for chapter B3.1.3 (NDcPPv2.0e, FWcPPv2.0e)/B.4.1.3 (NDcPPv2.1)

This element must be included in the ST if X.509 certificates are used as part of FTP_ITC.1, FTP_TRP.1/Admin, or FPT_ITT.1 where the TOE authenticating itself to external IT entities, administrators, or distributed components.

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201840.pdf

See issue description