TD0623: FIA_X509_EXT.2.1 Protocol Selection
The SFR in v3.2 currently lists this selection as the first available in the requirement:
The problem is that neither of these two selection items are mandatory, and there is no option for "no other methods".
FIA_X509_EXT.2.1 is modified as follows, with underline denoting addition:
The TSF shall use X.509v3 certificates as defined by RFC 5280 to support authentication for mutually authenticated TLS as defined in the Package for Transport Layer Security, HTTPS, [selection: IPsec in accordance with the PP-Module for VPN Client, mutually authenticated DTLS as defined in the Package for Transport Layer Security, no other protocol], and [selection: code signing for system software updates, code signing for mobile applications, code signing for integrity verification, [assignment: other uses], no additional uses].
See issue description.